Back to skill
Skillv3.0.2
ClawScan security
Adversarial Robustness Toolbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 24, 2026, 1:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it provides local, read-only reference text and the included shell script only prints static documentation — no credentials, network calls, or installs are required.
- Guidance
- This skill appears safe and coherent: it only prints local reference documentation and does not require credentials, network access, or installs. As a general precaution, review the included script before running it and, if you plan to execute it on sensitive systems, consider running it in a sandbox or isolated environment. Note the small documentation wording inconsistency in the quickstart (mentioning "access credentials") — it doesn't change behavior but you may want to confirm there are truly no external dependencies before integrating into automated workflows.
Review Dimensions
- Purpose & Capability
- okThe name/description (Adversarial Robustness Toolbox reference) match the provided files. The SKILL.md and scripts/script.sh both implement only local reference output; there are no unrelated environment variables, binaries, or cloud credentials requested.
- Instruction Scope
- noteSKILL.md explicitly states outputs are plain-text heredocs with no external API calls. The included script only emits static documentation. Minor inconsistency: the quickstart text mentions 'Required tools and access credentials' as generic guidance, but elsewhere the skill says no API keys or credentials are required — this appears to be documentation phrasing rather than an actual requirement.
- Install Mechanism
- okNo install spec is present (instruction-only style). A single bash script is included but it only prints static content; nothing is downloaded or written to arbitrary locations during runtime.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The runtime files do not read environment variables or access external secrets.
- Persistence & Privilege
- okalways is false, the skill does not request persistent/system-wide privileges or modify other skills or agent settings. It runs as an on-demand reference tool.