Back to skill
Skillv1.0.0
ClawScan security
Code Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:40 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only code-review checklist that is internally consistent with its stated purpose and does not request credentials or install components by itself.
- Guidance
- This skill is a text-based checklist and appears coherent and low-risk: it doesn't ask for credentials or install anything automatically. Before installing or copying files suggested in the README, verify the source (GitHub repo/owner) since the README points to external locations. If you plan to add it to an environment where skills run code, prefer installing from a trusted registry or inspect the repository contents first. If you need higher assurance, request a homepage or repository link and review the files referenced by the install commands.
Review Dimensions
- Purpose & Capability
- okThe skill's name and description match the SKILL.md content: a systematic checklist for security, performance, correctness, maintainability, testing, etc. It does not request unrelated binaries, environment variables, or credentials.
- Instruction Scope
- okSKILL.md contains review checklists, guidance, and manual installation instructions (npx/cloning/copying files). It does not instruct the agent to read user secrets, system-wide config, or exfiltrate data. The scope stays within code-review/checklist guidance.
- Install Mechanism
- noteThe registry entry itself has no install spec (lowest risk). README/SKILL.md include manual install examples (npx, copying from ~/.ai-skills or GitHub). Those are normal for sharing skills but, if followed, would pull code from external locations — verify the source before running such commands.
- Credentials
- okNo environment variables, secrets, or credential requests are declared or used in SKILL.md. Nothing disproportionate is requested for a checklist-style skill.
- Persistence & Privilege
- okFlags are default (always:false, user-invocable:true, autonomous invocation allowed). The skill does not request permanent presence or modify other skills; privileges are appropriate for a user-invoked checklist.