Skillv1.8.2

ClawScan security

Rohoon Six Sigma · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 14, 2026, 5:14 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are consistent with a Six Sigma / SPC toolkit: it asks for no credentials, has no install step, and its runtime instructions only run local Python analysis/reporting scripts.
Guidance: This package appears coherent with its stated purpose and does not request credentials or network access. Things to consider before installing: (1) the skill contains many Python scripts that will execute locally and will read/write files (e.g., /tmp, generated reports); run it in a controlled environment if you are unsure. (2) You must install Python dependencies from requirements.txt (numpy, scipy, pandas, reportlab, matplotlib, openpyxl). (3) The repository/source/homepage are not verified in the registry metadata (package.json points to a GitHub URL but the skill's 'source' / 'homepage' fields are empty) — if provenance matters, review the repo upstream or run tests locally (pytest) before use. (4) A few scripts insert specific sys.path entries (e.g., '/Library/Python/3.9/site-packages') or import a local generate_figure12_3 backend; inspect those files/modules to ensure they are the expected implementations. Overall the skill looks consistent and not suspicious, but as with any code bundle, review or sandbox before running on sensitive systems or data.

Purpose & Capability: okThe name/description (Six Sigma, SPC, MSA, DOE, AIAG‑VDA reports) match the included Python scripts, references, docs, and examples. Scripts implement control charts, capability, MSA, DOE, PDF/Excel report generation as claimed.
Instruction Scope: okSKILL.md instructs the agent to run local Python scripts on user-provided data and to generate reports; it does not request unrelated system files, environment secrets, or network endpoints. Example commands target local files (/tmp and repo scripts).
Install Mechanism: okNo install spec is present (instruction-only). Code is bundled in the skill; there are no downloads from external URLs or archive extraction steps in the metadata. Dependencies are Python packages listed in requirements.txt.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code uses standard local resources (fonts, /tmp) and Python libraries; nothing requests unrelated secrets.
Persistence & Privilege: okThe skill is not forced-always-on (always:false) and does not claim to modify other skills or system-wide settings. It will run locally when invoked and writes output files (reports), which is expected for its purpose.