Skillv0.1.0

ClawScan security

vuact · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 5:49 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only integration guide for a React↔Vue interoperability library; its files, requirements, and runtime instructions are coherent with that purpose and do not request unrelated credentials or system access.
Guidance: This is a documentation-only skill describing how to use a compatibility library that replaces React packages with 'vuact' at build time. Before adopting it: (1) review the actual vuact and vuact-dom package source (npm/GitHub) and maintainers, because the guide recommends low-level substitutions and a 'hack' to access Vue internals which can be fragile or introduce subtle runtime differences; (2) test in a small sandbox project—pnpm overrides and package aliasing change dependency resolution across your tree and can break other libraries; (3) check compatibility with your bundler and Vue/React versions; (4) there are no credential or network-exfiltration red flags in these docs, but always inspect third-party packages you install for unexpected code or remote calls.

Purpose & Capability: okName/description (vuact React↔Vue interop) match the included markdown examples and configuration notes; there are no requested environment variables, binaries, or config paths that don't belong to a frontend library integration guide.
Instruction Scope: noteSKILL.md and reference docs are purely developer-facing guidance: Vite aliases, pnpm overrides, imports, and example code. One implementation note mentions 'setup-scheduler' which 'retrieves Vue's internal flushJobs via a hack' and instructions to replace @vue/runtime-dom in pnpm overrides — both are expected for deep runtime shims but are fragile and deserve review before use.
Install Mechanism: okThis is instruction-only (no install spec). The guide recommends installing packages via pnpm (pnpm add vuact vuact-dom) and editing build config; that is proportionate for a JS library and does not involve arbitrary downloads or unusual install locations.
Credentials: okNo required environment variables, credentials, or config paths are declared or accessed by the docs. The recommended pnpm overrides and aliases affect dependency resolution in the project but are expected for replacing React with a compatibility layer.
Persistence & Privilege: okSkill is not always-enabled, does not request persistent privileges, and has no instructions to modify agent/system skill configurations. It only contains docs and code examples, so it does not require elevated platform presence.