Skillv2.0.0

ClawScan security

Review Responder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 7:00 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are consistent with a review-reply/template/analysis helper: it requires no credentials, makes no network calls, and only writes local data for simple persistence.
Guidance: This skill appears coherent and low-risk: it provides reply templates and local utilities and does not ask for credentials or perform network calls. Before installing, review the two included shell scripts if you have concerns: they will create a local data folder (default ~/.local/share/review-responder or REVIEW_RESPONDER_DIR) and write logs/data there. Avoid feeding sensitive PII into batch operations if you don't want that persisted. If you plan to integrate with external platforms (uploading replies to a store, CRM, etc.), verify or add explicit, audited connectors rather than letting the skill send data externally. If unsure, run the scripts in a sandbox or inspect them locally prior to use.

Purpose & Capability: okName/description (review replies, templates, analysis, batch) align with the provided SKILL.md and two shell scripts. The functionality implemented (reply templates, analysis scaffolding, batch guidance, and a small local utility) is proportionate to the stated purpose; there are no unrelated binaries, cloud creds, or configuration paths requested.
Instruction Scope: okSKILL.md instructs the agent to use commands (positive, negative, template, analysis, improve, batch) and the respond.sh script emits templated replies and prompts for input. The instructions do not direct the agent to read unrelated system files, access secrets, or transmit data to remote endpoints.
Install Mechanism: okThere is no install spec (instruction-only skill) and the included files are simple bash scripts. No external downloads, package installs, or extract actions are present.
Credentials: okNo required environment variables or credentials are declared. script.sh respects an optional REVIEW_RESPONDER_DIR/XDG_DATA_HOME/HOME location for local storage — this is reasonable and documented in the script.
Persistence & Privilege: noteThe utility will create a local data directory (default ${XDG_DATA_HOME:-$HOME/.local/share}/review-responder), and write history.log and data.log there. This is normal for local persistence but worth noting for privacy (user-provided reviews are stored on disk). The skill does not request always:true or modify other skills.