Back to skill
Skillv0.1.0
ClawScan security
Go Vuln Crypto Tls · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 8:16 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only auditing helper whose grep- and checklist-based guidance aligns with its stated purpose and requests no extra permissions or installs.
- Guidance
- This skill is an instruction-only audit checklist and grep-based detector for Go TLS/crypto issues — it is internally consistent and doesn't request credentials or installs. When using it: (1) treat its output as candidate findings that require manual review and testing (it relies on pattern matching and may produce false positives/negatives); (2) verify that any flagged instances are contextual (tests/dev-only patterns are excluded per the guide); (3) be cautious if you later grant the skill autonomous execution against repositories — although the skill itself doesn't exfiltrate data, autonomous runs will read your codebase; and (4) if the publisher or install spec changes (e.g., adds downloads or env requirements), reassess before trusting it.
Review Dimensions
- Purpose & Capability
- okName/description describe Go TLS/crypto auditing and the SKILL.md contains grep patterns, checklists, and real-world examples exactly for that task; there are no unrelated env vars, binaries, or install steps.
- Instruction Scope
- okRuntime instructions are limited to searching code, inspecting crypto/TLS/JWT/SAML patterns, and following an audit checklist. They do not instruct the agent to read unrelated system files, exfiltrate data, call external endpoints, or use secrets.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes disk write/execute risk.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths; that is proportionate to a static code-audit helper.
- Persistence & Privilege
- okSkill is not marked always:true, does not request persistent system changes, and does not modify other skills or agent-wide settings.