Back to skill
Skillv0.1.0
ClawScan security
maven-plugin-configuration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 7:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only Maven plugin configuration guide and its requested footprint (no installs, no env vars, no binaries) is consistent with that purpose.
- Guidance
- This skill is an instruction-only Maven plugin configuration guide and appears coherent with its stated purpose. Because it has no install steps and requests no credentials, the direct security risk is low. Still, note the skill author and source are unknown and there is no homepage — review the SKILL.md content if you plan to rely on specific version recommendations or copy snippets into production POMs. If you want extra caution, open the SKILL.md and verify any suggested plugin versions and configuration against official plugin documentation before applying them to critical builds.
Review Dimensions
- Purpose & Capability
- okThe name/description (Maven plugin configuration) match the SKILL.md content: extensive pom.xml snippets and configuration guidance for compiler, surefire, jar, javadoc, resources, and related plugins. There are no unexpected requirements (no cloud credentials, no unrelated binaries).
- Instruction Scope
- okSKILL.md is purely documentation and sample XML. It does not instruct the agent to run shell commands, read system files, fetch or post data to external endpoints, or access environment variables beyond normal Maven properties. There are no vague, open-ended steps asking the agent to gather arbitrary context.
- Install Mechanism
- okThere is no install spec (instruction-only skill), so nothing is downloaded or written to disk by the skill itself — this is the lowest-risk install footprint.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. Its guidance references Maven properties and example placeholders (e.g., ${user.name}), which are appropriate for pom configuration and do not imply secret access.
- Persistence & Privilege
- okThe skill is not set to always:true and does not request persistent system privileges or modify other skills or system-wide agent settings. Autonomous invocation is allowed by platform default but is not combined with any other elevated privileges here.