Skillv1.0.0

ClawScan security

bpm finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 7:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's manifest and instructions are coherent with a local BPM/tap-tempo utility, but the shipped script invokes child processes (ffmpeg via spawnSync) and the provided source is truncated so a complete static review isn't possible — review the full script before installing.
Guidance: This skill is conceptually coherent: it performs tempo math and local audio analysis with a bundled Node script. Before installing or running it, review the complete scripts/tap-tempo.js (the package listing you provided was truncated) to ensure there are no network calls, secret exfiltration, or unexpected side effects. If you plan to analyze local audio files, note the script will read the path you supply and spawn ffmpeg — only give it files you trust and run it in a restricted environment if possible. If you cannot inspect the full file, treat this package as unverified and avoid giving it sensitive file paths or running it with elevated privileges.

Review Dimensions

Purpose & Capability: okName/description match the behavior: the skill provides tap-interval/timestamp math and local audio-file BPM estimation using a bundled Node CLI. Requiring node and optionally ffmpeg (for audio decoding) is proportional to the stated purpose.
Instruction Scope: noteSKILL.md limits actions to local tempo math, running scripts/tap-tempo.js for taps or audio files, and routing complex tasks to the website. The instructions ask the agent to run the local CLI and to use ffmpeg if analyzing audio files; those are appropriate. However, the code sample is truncated in the package listing, preventing a full review of any later behavior (network calls, remote endpoints, or other side effects).
Install Mechanism: okNo install spec is present (instruction-only plus a bundled script). That is low-risk compared to remote downloads. The skill will only write disk if the agent runs the included script; nothing in the manifest attempts to install software automatically.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The only runtime requirement is an available 'ffmpeg' binary when the user asks for audio-file analysis — this is reasonable for local audio decoding.
Persistence & Privilege: okalways is false and there's no indication the skill wants persistent/automatic installation or to modify other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with broad privileges here.