Skillv1.0.4

ClawScan security

hap-upgrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 22, 2026, 2:03 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill whose requirements and instructions align with generating HAP private-deployment upgrade guides; it reads packaged references and fetches the official docs site and does not request unrelated credentials or install code.
Guidance: This skill is coherent for generating HAP upgrade guides: it reads the bundled reference files and fetches the official docs site to build instructions. It does not ask for secrets or install code on your machine. Important cautions: (1) the generated guides include exact shell commands (sed to modify files, docker/k8s commands, and examples that curl remote scripts and run them). Do not paste-and-run those commands without verifying the referenced official pages and remote scripts yourself. (2) The skill relies on real-time content from https://docs-pd.mingdao.com — if your environment lacks internet access the skill will generate an offline-version guide only if the user supplies the needed offline resources. (3) If you want the agent to also execute any commands (rather than only produce a guide), do not enable automatic execution — verify steps manually. If you need higher assurance, ask the skill author for explicit provenance for any remote scripts (e.g., exact release URLs and checksums) before execution.

Purpose & Capability: okName/description (HAP 私有部署升级) match the requested artifacts: local reference files, templates, and runtime instructions to fetch https://docs-pd.mingdao.com; no unrelated env vars, binaries, or installs are requested.
Instruction Scope: noteSKILL.md stays focused on upgrade guidance and document generation: it requires reading included reference files and fetching official pages under docs-pd.mingdao.com. It will produce exact shell commands (sed, docker, kubectl, curl) in output docs—appropriate for the purpose but potentially dangerous if blindly executed. The skill does not instruct the agent to read arbitrary user system files or secrets, but generated guides include commands that modify system files and download/execute remote scripts, so users must verify before running them.
Install Mechanism: okInstruction-only skill with no install spec and no code to download or extract; lowest install risk.
Credentials: okNo environment variables, credentials, or config paths are requested by the skill. The examples reference service file paths purely for generated commands, which is proportionate to creating actionable guides.
Persistence & Privilege: okalways:false and no special persistence requested. Model invocation is allowed (platform default) but this is not combined with broad credential access or installs.