v1.0.0

Skill Extraction

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:32 AM.

Analysis

This instruction-only skill coherently scans a project and writes extracted documentation or skill files, but users should review generated outputs before reusing them.

GuidanceThis skill appears consistent with its stated purpose and has no code or credential requirements. Before installing or running it, be comfortable with it reading the current repository and writing generated files under docs/extracted/ and ai/skills/. Review the generated skills and documentation for secrets, confidential project details, or unwanted instructions before reusing them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

COMMAND.md

Outputs to `ai/skills/` and `docs/extracted/`

The skill is designed to create files in the repository. This is purpose-aligned, but users should expect local file changes.

User impactRunning the command can add or change documentation and skill files in the current project.

RecommendationReview generated files with normal version-control diffs before committing, installing, or relying on them.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

README.md

npx add https://github.com/wpank/ai/tree/main/skills/extraction/pattern-extraction

The README documents a remote npx/GitHub-based installation path while the registry source is listed as unknown. No runnable code is included here, so this is a provenance note rather than a behavioral concern.

User impactUsers may install from a remote source whose provenance is not fully described in the registry metadata.

RecommendationPrefer the trusted registry install path or inspect the referenced repository before installing from the GitHub URL.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

SKILL.md

Create `ai/skills/[project]-[pattern]/SKILL.md`

The output can become persistent agent-consumable skill content. If extracted from private, untrusted, or overly specific project material, that content may affect future agent behavior.

User impactProject patterns, architecture details, or unintended sensitive context could be preserved in reusable skill files.

RecommendationRun it only on intended repositories, check generated skills for secrets or project-specific confidential details, and approve them before reuse.