Back to skill
Skillv1.0.0
ClawScan security
Microservice Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 20, 2026, 1:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill implementation matches its description: a local, bash-based devtools logger/CLI that stores user-provided entries under ~/.local/share/microservice-gen and does not request credentials or reach out to external services.
- Guidance
- This skill is coherent and appears benign, but review before installing: 1) It stores every command input verbatim under ~/.local/share/microservice-gen — avoid passing secrets or credentials as command input, because they will be logged. 2) Inspect the script if you plan to run it; it has minor bugs in JSON export/formatting and does not escape logged values. 3) Ensure the data directory permissions are acceptable (it will create files under your HOME). 4) If you want to avoid persistent logs, run the script in a sandbox or remove/redirect the DATA_DIR in the script before use.
Review Dimensions
- Purpose & Capability
- okName/description describe a local Go microservice devtools workflow; the packaged behavior is a POSIX bash CLI that records, lists, exports, and searches user-provided entries. The requested permissions (none) and files present are consistent with a local devtools utility.
- Instruction Scope
- noteSKILL.md and the script keep all activity local and limited to logging, listing, exporting, searching, and simple reporting. However, the CLI records any user-provided input verbatim to local log files (e.g., check.log, generate.log, etc.) without sanitization, so if a user inadvertently pastes secrets (API keys, passwords, private snippets) into commands those will be persisted locally. Also the JSON export implementation does not escape values safely and has minor formatting bugs which may corrupt exports.
- Install Mechanism
- okThere is no install spec; the skill is instruction-only with a single included bash script. No network downloads, package installs, or archive extraction are present.
- Credentials
- okNo environment variables or credentials are required. The script uses HOME to derive a data directory, which is expected for a local CLI. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- noteThe tool writes persistent data to the user's home directory (~/.local/share/microservice-gen). This matches the stated behavior but is a persistent footprint: logs, history, and exported files will remain on disk. The skill does not request elevated privileges nor modify other skills or system settings.