Skillv2.0.0

ClawScan security

Communityhub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 17, 2026, 7:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a local community-management CLI: no network calls or credential requests, but it will create and write data/log files in the user's data directory.
Guidance: This skill appears to be a simple local CLI for community management and is internally coherent. Before installing: (1) review the two scripts yourself (they are short and readable) to confirm you’re comfortable; (2) be aware the tool creates ~/.local/share/communityhub/ (or a dir you set via COMMUNITYHUB_DIR) and writes data.log and history.log — avoid entering passwords or other secrets as command arguments because they may be logged; (3) note the registry metadata lacked a homepage/source while SKILL.md includes bytesagain.com and a GitHub link — if provenance matters, verify the GitHub repo and author; (4) if you want extra isolation, run it in a sandboxed account or container and delete the data directory when finished.

Review Dimensions

Purpose & Capability: noteName/description promise community management functionality and the included scripts implement help, templates, local data storage, and simple CLI commands — this is coherent. Minor provenance mismatch: registry metadata shows no homepage/source, but SKILL.md contains a homepage (bytesagain.com) and a GitHub source URL; this is inconsistent but not intrinsically dangerous.
Instruction Scope: noteSKILL.md instructs running the local CLI and declares COMMUNITYHUB_DIR for data storage. The bundled scripts only operate locally (generate templates, manage a local data.log and history.log) and print to stdout. They do log user-provided arguments to history.log, so sensitive input supplied to commands could be persisted.
Install Mechanism: okNo install spec; the skill is instruction-only with included scripts. No external downloads or package installations are performed by the scripts. Files are plain shell and Python and not obfuscated.
Credentials: okThe skill declares no required environment variables or credentials. The scripts read COMMUNITYHUB_DIR (optional) and standard XDG/HOME locations to determine a data directory — this is appropriate for a local CLI and proportional to the stated purpose.
Persistence & Privilege: notealways:false and the skill does not request elevated privileges. It will create a data directory (default ~/.local/share/communityhub/) and write data.log and history.log there; this provides persistent local storage of user inputs and command history.