Back to skill
Skillv1.0.1
ClawScan security
dapr-dotnet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:36 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, scope, and requirements align with its Dapr + .NET backend purpose; it is an instruction-only guide with no installs or credential requests.
- Guidance
- This is an instruction-only skill that provides Dapr + .NET architecture guidance and code snippets — it is internally consistent. Before using it, review the SKILL.md yourself: 1) verify any commands or helper calls (e.g., AddDaprdProcess/BaseHelper) will be run in a safe development environment and won't spawn unexpected processes; 2) replace localhost/example credentials with safe values and never paste real production secrets into config snippets; 3) if you plan to let an agent apply these instructions, run it in a sandbox or dev cluster so it cannot touch production resources; and 4) because the skill's source is unknown, prefer manual review of the snippets before executing them.
Review Dimensions
- Purpose & Capability
- okName and description (Dapr + .NET backend expertise) match the SKILL.md content: project structure, YAML config for Dapr components, and C# code samples for typical microservice patterns.
- Instruction Scope
- okSKILL.md contains architecture guidance, YAML and C# snippets, and recommendations for running a Dapr sidecar. It does not instruct reading unrelated system files, exfiltrating data, or accessing secrets beyond typical local dev config files (.dapr components/config). It does reference a helper (BaseHelper.AddDaprdProcess) that would start a process if implemented, which is expected for local Dapr debugging.
- Install Mechanism
- okNo install spec is present (instruction-only). Nothing will be written to disk by an installer; therefore there is no download or package-install risk from the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. The included sample configs use local endpoints (localhost) and empty passwords; nothing in the skill requests unrelated cloud credentials or secrets.
- Persistence & Privilege
- okSkill is user-invocable, not always-enabled, and allows model invocation (the platform default). It does not request persistent presence or system-wide config changes.