Skillv1.0.52

ClawScan security

Ai Code Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 16, 2026, 3:49 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is essentially marketing copy: it claims multi-language code automation but contains no runtime instructions, installs, or credential needs—coherent from a privilege perspective but incomplete and potentially misleading.
Guidance: This skill is low-risk but appears incomplete or placeholder: it only contains marketing text and no runtime behavior. Before installing or relying on it, ask the publisher for a full SKILL.md that documents the runtime workflow (what APIs or CLIs it calls, what permissions/credentials it needs, and how data is handled). Also verify the source/owner and request a homepage or repo link. If you need a functioning code-assistant, prefer skills that declare their install steps and required credentials explicitly; do not give sensitive credentials unless the skill's purpose and endpoints are clearly justified and trustworthy.

Purpose & Capability: concernName/description promise advanced AI code processing and automation, but the skill provides no implementation details, required tools, or credentials. The requested surface (nothing) is disproportionate to the claimed capabilities — either it's a placeholder or incomplete.
Instruction Scope: concernSKILL.md contains only marketing/ROI text and no runtime instructions (no commands, API endpoints, or workflows). Because there are no operational instructions, the agent cannot perform the advertised tasks and the skill may be misleading.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest installation risk. Nothing will be written to disk by an installer because none is declared.
Credentials: okNo environment variables, credentials, or config paths are requested. From a secrets/privilege standpoint, the skill asks for nothing, which is proportionate (but also explains why it does nothing).
Persistence & Privilege: okDefaults (always: false, agent-invocation allowed). The skill does not request persistent presence or elevated system privileges.