Skillv2.0.5

ClawScan security

Dnscheck · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 24, 2026, 1:15 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions match its stated purpose (a local reference/cheatsheet); it doesn't request credentials, perform network calls, or install external code.
Guidance: This skill is a local reference tool and appears coherent and low-risk: it prints built-in documentation and doesn't access the network or secrets. If you plan to run the included script, inspect the small shell file (scripts/script.sh) yourself — it only emits heredoc text. Note the minor version/documentation inconsistencies (different version strings and one generic quickstart line mentioning credentials) — these are likely editorial and not functional. If you need strong assurance, run the script in a sandbox or review the repo origin (bytesagain.com / GitHub link) before installing.

Review Dimensions

Purpose & Capability: okThe name/description (Dnscheck reference for devtools) align with the included SKILL.md and the bash script: both provide local, read-only reference text and CLI-style commands. Nothing in the manifest or files requests unrelated privileges. Minor note: version strings differ between SKILL.md (2.0.4), manifest (2.0.5), and scripts/script.sh (VERSION=2.0.3) — this is likely a bookkeeping inconsistency but not a security concern.
Instruction Scope: okSKILL.md explicitly states outputs are plain-text heredocs and no network/credentials are used. The provided script implements only printing documentation for the listed commands and basic CLI behavior; it does not read external files, environment variables, or make network calls. One small doc inconsistency: the quickstart text generically says 'Required tools and access credentials' (a general guidance line) while the skill otherwise states no credentials are required. This appears to be generic wording, not an actual requirement.
Install Mechanism: okThere is no install specification (instruction-only skill) and the only code file is a self-contained shell script that prints documentation. No downloads, package installs, or archive extraction are performed by the skill.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. The script does not read or require environment variables. No secret-exposing patterns are present.
Persistence & Privilege: okThe skill is not marked always:true and does not attempt to modify agent/system configuration. It contains only a benign reference script and therefore does not request elevated persistence or privileges.