Skillv1.0.0

ClawScan security

Change Safeguard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 1:58 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, scope, and resource needs are consistent with its stated purpose of enforcing careful file/config edits; it asks for no extra credentials or installs, but it assumes the agent can read and modify workspace files and the README's 'global' claim is inconsistent with the manifest.
Guidance: This skill appears coherent and implements a conservative, manual-change workflow. Before installing: 1) Confirm your agent runtime actually enforces the 'wait for user confirmation' step and cannot bypass it when invoking the skill autonomously. 2) Confirm the agent has explicit and limited workspace access—avoid allowing broad root-level greps; limit the search paths to project folders. 3) Test the workflow in a safe repo/branch to validate the change-list and re-grep steps. 4) Note the SKILL.md's claim that it is 'global'—if you don't want a mandatory policy, ensure the platform does not set always:true or auto-run the skill. If those operational controls are acceptable, the skill's behavior is proportionate to its purpose.

Review Dimensions

Purpose & Capability: okName/description (safeguard code/config changes) align with the instructions (search, list, edit, re-verify). The skill requires no external services, credentials, or unusual binaries—only the ability to search and edit workspace files, which is proportionate to its goal. Minor inconsistency: SKILL.md claims '_all agents must follow_,' but registry flags do not set always:true.
Instruction Scope: noteSKILL.md gives explicit runtime steps (grep across file types, build a change list, sequential edits, mandatory re-grep). These instructions stay within the stated purpose and do not call external endpoints or request secrets. However, they assume the agent can run shell commands and modify arbitrary workspace files; the example uses broad searches (e.g., /path/to or root-like patterns) which could scan large areas or sensitive files if misapplied. The skill does require user confirmation before edits (good), so ensure that step cannot be bypassed by the agent runtime.
Install Mechanism: okInstruction-only skill with no install steps or downloaded artifacts. No code is written to disk by an installer—low install risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The absence of secrets is proportionate to a purely local file-editing guardrail.
Persistence & Privilege: noteRegistry flags: always:false and model invocation allowed (default). The skill's content insists it be treated as a global policy, but the manifest does not grant always:true. Because the skill's runtime actions modify files, allowlisting autonomous invocation could increase risk if the platform permits the agent to run edits without proper confirmation. This is not a defect in the skill itself, but an operational consideration for the platform and the user.