Skillv0.1.0

ClawScan security

casadi-ipopt-nlp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 4:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only guide for using CasADi with IPOPT and is internally consistent with no unexpected credential, install-spec, or file-access demands.
Guidance: This is a coherent, instruction-only guide for building and solving NLPs with CasADi+IPOPT. Before following the guide: (1) run the apt-get/pip steps in a controlled environment (these commands require root or virtualenv and will modify system/python packages); (2) verify the pinned package versions (numpy==1.26.4, casadi==3.6.7) are appropriate for your platform; (3) if running on a managed/hosted agent, confirm you are allowed to install system packages; and (4) test the example code on a small problem first. No credentials or external endpoints are requested by the skill.

Review Dimensions

Purpose & Capability: okThe name and description (CasADi + IPOPT for NLPs and power-system patterns) match the SKILL.md content: examples, solver options, initialization strategies, and power-system-specific notes are all relevant and proportionate.
Instruction Scope: noteSKILL.md is a detailed how-to and stays on-topic. It includes shell commands to install system dependencies (apt-get libgfortran5) and pip packages (numpy, casadi). Those commands are expected for running CasADi/IPOPT but are operational actions the user/host must consciously execute — the instructions do not ask for unrelated files, credentials, or exfiltration.
Install Mechanism: noteThere is no formal install spec; the document suggests running apt-get and pip. Because this is instruction-only, nothing will be written or executed automatically by the skill itself, but following the guide requires privileged package management (apt) and pip installs which the user should vet (version pins are provided for numpy and casadi).
Credentials: okThe skill requests no environment variables, credentials, or config paths. This is appropriate for a client-side how-to that only needs local Python packages and system libs.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent agent privileges, nor does it instruct modifying other skill configs or storing credentials. Autonomous invocation is allowed by platform default but the skill contains no automatic actions that would abuse that.