Back to skill
Skillv1.0.2
ClawScan security
FlowVisualExplainer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and optional share helper are coherent with its stated purpose (generate self-contained HTML visual explainers); nothing appears to request unrelated credentials or install arbitrary third‑party code during install.
- Guidance
- This skill appears coherent and focused on producing self-contained HTML visualizations. Things to check before installing or using: 1) If you use the 'share' command, the included scripts will execute a vercel-deploy deploy.sh found on your system — verify that vercel-deploy is trusted and has appropriate credentials, because that other skill will perform the network deployment. 2) Generated HTML may import CDN JS (mermaid, Chart.js) when opened in a browser — review outputs for any unexpected external endpoints before publishing. 3) The skill's SKILL.md forces HTML output for complex tables and contains the rule "Never fall back to ASCII art" — enable the skill only if you want it to override plain-text fallbacks. If you want extra assurance, inspect templates and the scripts/share.sh locally (they are small and human-readable) and test sharing on a non-production account first.
Review Dimensions
- Purpose & Capability
- okName/description match what the skill includes: templates, CSS patterns, Mermaid guidance, and a share helper. The included scripts and templates are appropriate for producing self-contained HTML diagrams, tables, and slide decks.
- Instruction Scope
- noteSKILL.md directs the agent to read the bundled reference and template files and to open generated HTML in a browser. It also instructs probing the environment (e.g., 'which surf') and to always prefer HTML ("Never fall back to ASCII art"), which is an aggressive, global preference but still within the skill's goal. The 'share' command calls a local share.sh which executes another skill's deploy script — this causes cross-skill execution but is explained in the README.
- Install Mechanism
- okNo install spec — instruction-only skill with templates and a small helper script. Nothing downloads or writes code during installation. The only executable file is scripts/share.sh (a bash helper) which is present in the bundle.
- Credentials
- noteThe skill declares no required env vars or credentials. The share.sh looks for a separate vercel-deploy skill and executes its deploy.sh; any credentials required for deployment would be owned by that vercel-deploy skill (not declared here). Users should confirm the trust and configuration of the vercel-deploy skill before using 'share'.
- Persistence & Privilege
- okalways:false and no special persistence or system-wide config changes are requested. The skill does not request to modify other skills' configs; it merely calls another skill's deploy script at runtime when asked to share.