Back to skill
Skillv0.1.0
ClawScan security
testing-python · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 6:12 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only pytest guidance skill whose requirements and runtime instructions are coherent with its stated purpose and do not request extra credentials or installs.
- Guidance
- This is an instruction-only pytest guidance skill and appears coherent with its stated purpose. Before installing or relying on it, confirm the project conventions it assumes (asyncio_mode = "auto", availability of a FastMCP package and in-memory transport, an inline-snapshot tool, and the `uv` command) match your environment. Because the skill is just prose (no code or installs) it has low direct risk, but follow your normal vetting for any project-specific tooling or plugins it references.
Review Dimensions
- Purpose & Capability
- okThe name and description (writing/evaluating Python tests with pytest) match the SKILL.md content which contains test patterns, fixtures, mocking guidance, and project-specific conventions. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- noteInstructions stay within the domain of test authoring and running. They reference project-specific settings (e.g., asyncio_mode = "auto"), an in-memory FastMCP transport, an inline-snapshot helper, and a `uv run pytest` command. These are assumptions about the target project/tooling rather than indicators of exfiltration or out-of-scope access — verify your project actually uses these tools/plugins before relying on the guidance.
- Install Mechanism
- okNo install spec, no downloads, and no code files. This instruction-only skill does not write to disk or fetch remote artifacts.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The guidance references typical test fixtures and temporary paths (tmp_path) but does not ask for secrets or external tokens.
- Persistence & Privilege
- okThe skill is not marked always:true and does not attempt to modify agent state. Autonomous invocation is allowed by platform default but is not combined with any other concerning privileges.