Back to skill
Skillv0.1.0
ClawScan security
dyn-object-masks · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 7:18 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions are coherent with its stated purpose (generating sparse dynamic-object masks); it does not request unrelated credentials or suspicious system access, though it implicitly requires Python libraries that are not declared.
- Guidance
- This skill appears internally consistent and focused on computing sparse dynamic-object masks. Before installing or running it, verify the runtime has Python with numpy and OpenCV (cv2) available, or ask the author to include an explicit install/dependency spec. Review what image frames (prev_gray, curr_gray) and transforms (M) the agent will be given and avoid feeding sensitive video if you don't want it processed. If you want stricter controls, request the skill declare its dependencies (pip packages or a container) and exact input/output data formats to reduce ambiguity.
Review Dimensions
- Purpose & Capability
- noteName/description match the instructions: all steps are image-processing operations to produce CSR sparse masks. Minor mismatch: SKILL.md presumes a Python runtime with numpy/OpenCV but the skill metadata lists no required binaries or dependencies.
- Instruction Scope
- okInstructions stay within scope: they describe warping, thresholding, morphology, connected-component filtering, and CSR encoding. No steps read unrelated files, environment variables, or transmit data externally.
- Install Mechanism
- noteNo install spec (instruction-only), which is low risk. However the runtime sketch depends on Python, numpy, and OpenCV (cv2); those are not declared. This is an operational omission rather than an active risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths — appropriate for a local image-processing helper.
- Persistence & Privilege
- okNo elevated persistence requested (always:false). Autonomous invocation is allowed by platform default but the skill does not request broader privileges or modify other skill/config state.