Back to skill
Skillv0.0.1
ClawScan security
my skill demo showcase · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 8:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is a minimal, self-contained TypeScript hello-world demo whose code, declared dependencies, and runtime instructions align with its stated purpose.
- Guidance
- This skill appears coherent and minimal. Before running `npm install` or `npx ts-node`, review package.json (already minimal here) and consider installing in a sandboxed environment if you run untrusted packages. If you plan to use it in production, pin dependency versions and/or verify package integrity; otherwise, running the provided scripts locally to inspect output is sufficient.
Review Dimensions
- Purpose & Capability
- okName/description claim a minimal TypeScript hello-world demo; the files (hello.ts, embedding-demo.ts), package.json (dayjs dependency), and README all match that purpose. Nothing requested or present (no credentials, no system paths) is extraneous to a hello-world demo.
- Instruction Scope
- okSKILL.md only instructs installing npm deps in the skill folder and running the included TypeScript script via ts-node, or importing the exported function. It does not direct reading unrelated files, accessing secrets, or calling external endpoints beyond normal npm package fetching. The example cd path (/home/ubuntu/skill-demo) is just illustrative.
- Install Mechanism
- noteThere is no formal install spec; the README recommends running `npm install` and `npx ts-node`. That uses the public npm registry (standard for Node). This is expected but carries the usual npm-registry risk (install scripts, transitive packages). package.json lists only `dayjs` (runtime) and `ts-node`/`typescript` (dev).
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. Runtime instructions do not read undeclared env vars. No disproportionate access to secrets is requested.
- Persistence & Privilege
- okSkill is not always-enabled and allows normal model invocation. It does not request to modify other skills or system-wide agent settings and has no install hooks declared that would persist beyond its own folder.