Back to skill
Skillv0.1.0
ClawScan security
maven-dependency-management · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 7:14 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, documentation-style skill about Maven dependency management whose declared requirements and runtime instructions (as provided) match its stated purpose and request no extra privileges.
- Guidance
- This appears to be a harmless documentation/help skill for Maven dependency management. Before installing: (1) inspect the full SKILL.md to confirm there are no later sections that run commands (mvn, shell) or instruct file access; (2) because source/homepage are unknown, avoid granting autonomous access in sensitive environments if you don't trust the publisher — you can keep it user-invocable only; (3) if you expect the skill to perform active operations (run builds, edit files), prefer a skill that declares those capabilities and required permissions explicitly.
Review Dimensions
- Purpose & Capability
- okThe name and description match the SKILL.md content: guidance and examples for Maven dependency declaration, scopes, BOMs, and version management. No unrelated binaries, env vars, or config paths are requested.
- Instruction Scope
- okThe provided SKILL.md is static documentation with XML examples and does not instruct the agent to read files, access environment variables, contact external endpoints, or perform system-level actions. Note: the file shown in the prompt was truncated — this assessment assumes the remainder is similar documentation rather than hidden executable instructions.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), which is lowest-risk: nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill requires no environment variables, credentials, or configuration paths — proportionate for a documentation/help skill.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. The skill does not request persistent system presence or modify other skills. Autonomous invocation is allowed (disable-model-invocation=false), which is the platform default and not by itself a concern.