Back to skill
Skillv1.0.1
ClawScan security
Save Token · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 2:58 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a documentation-only, guiding skill that provides heuristics for reducing LLM token usage and does not request credentials, install code, or perform actions itself.
- Guidance
- This skill is just documentation with practical heuristics for saving tokens — it cannot change your agent's context by itself. Before relying on it: (1) verify your agent implements the suggested strategies correctly (summaries, deduplication) to avoid accidentally dropping important context; (2) ensure the agent reports the token-count metrics it uses so savings are verifiable; (3) review any agent code that implements these strategies for privacy or data-retention concerns (e.g., summaries that might omit required details).
Review Dimensions
- Purpose & Capability
- okThe name and description (token-saving guidance) match the SKILL.md content. The skill is instruction-only and asks for no binaries, env vars, or installs that would be unrelated to its stated goal.
- Instruction Scope
- okSKILL.md contains only guidance (summarize, reference, dedupe, compress) and explicit thresholds. It does not instruct the agent to read unrelated files, access credentials, call external endpoints, or perform hidden actions. The guidance gives the agent discretion to apply strategies, which is expected for a guiding skill.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). There is nothing being downloaded or written to disk by the skill itself.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. That is proportionate for a guidance-only skill focused on token optimization.
- Persistence & Privilege
- okFlags are default (always:false, user-invocable:true) and the README/SKILL.md explicitly state the skill does not modify runtime context. The skill does not request persistent privileges or modify other skills' config.