Skillv1.0.0

ClawScan security

Afm Force Curve Analyzer 1.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 10:23 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with an AFM force-curve analysis tool and do not request credentials or network access, but there are small implementation/packaging inconsistencies and missing install steps you should be aware of before use.
Guidance: This skill appears to be an offline AFM force-curve analysis tool and does not request credentials or network access, which is good. Before installing or running it: 1) note that SKILL.md shows a CLI name (afm-force-curve-analyzer) but the package includes only analyze.py and no install wrapper — you may need to manually run analyze.py or create an entrypoint; 2) ensure the required Python scientific packages (numpy, pandas, scipy, lmfit, matplotlib) are installed in a controlled environment (virtualenv / conda), since the skill does not provide an installer; 3) inspect the full analyze.py file yourself (especially portions truncated in the bundle) for any reads of unexpected system paths or network I/O before running; 4) run the tool on non-sensitive sample data first to confirm behavior and outputs; 5) be aware the parsers use heuristic detection and may mis-parse some vendor formats (.nwi handling appears referenced in SKILL.md but a specific parser was not obvious), so verify parsed data for correctness. If you want higher assurance, ask the owner for an install script or a packaged release that declares dependencies and provides a proper CLI entrypoint.
Findings: [no_findings] expected: Static pre-scan reported no injection signals. This aligns with the code, which performs local numeric processing and file parsing and contains no obvious network calls or subprocess execution patterns in the visible portion.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and analyze.py all focus on AFM force-distance / nanoindentation analysis (Sneddon/Hertz/JKR/DMT models, parsing vendor formats, generating plots and CSV/JSON/MD outputs). Required capabilities requested by the skill match its stated purpose; no unrelated credentials, binaries, or external services are requested.
Instruction Scope: noteSKILL.md instructs running a CLI (afm-force-curve-analyzer) to process local data files and produce local outputs; there are no instructions to read system config, fetch remote endpoints, or exfiltrate data. Note: SKILL.md triggers on several natural-language phrases (including non-English), which is expected for an invocation trigger.
Install Mechanism: concernThis is instruction-only (no install spec). analyze.py is included but SKILL.md presents a CLI name (afm-force-curve-analyzer) that is not provided by an install step or wrapper — the skill does not include a packaged executable or installation instructions to expose that command. Also the code depends on scientific Python packages (numpy, pandas, scipy, lmfit, matplotlib) but the skill provides no mechanism to ensure those are present.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The analyze.py file operates on user-supplied data files only. There is no code that reads unrelated environment variables or credential files.
Persistence & Privilege: okalways is false and disable-model-invocation is false (normal). The skill does not request persistent system privileges or modify other skills' configurations. No evidence of self-enabling or system-wide changes in the provided files.