Skillv1.0.0

ClawScan security

AI Editor Rules · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 26, 2026, 9:25 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only collection of editor-rule templates whose declared purpose matches the files and guidance provided; no credentials or installers are required by the skill itself, but you should verify any external CLI it asks you to install and be cautious about persisting sensitive data.
Guidance: This skill appears to do what it says (editor rule templates). Before installing or following its commands: 1) Verify the external CLI it suggests (crossrule) — check the npm package name, author, and repository before running `npm install -g` (or prefer a local/devDependency install). 2) Inspect the template files you copy into projects to ensure they don't accidentally include secrets or unwanted project-specific settings. 3) Be cautious with AGENTS.md guidance to 'write memory to a file' — avoid persisting sensitive data (API keys, personal info). 4) If you need higher assurance, ask for the skill's source or homepage or run the suggested tools in a sandbox/container first.

Review Dimensions

Purpose & Capability: okThe skill name/description (AI editor rule templates) aligns with the provided files (Cursor/Windsurf/Claude templates and AGENTS.md) and the runtime instructions (copy templates into project, optionally convert with a tool). Nothing declared in the skill (no env vars, no binaries required) is unexpected for this purpose.
Instruction Scope: noteSKILL.md stays on-topic (copying rule files, explains formats, shows example validation commands). It does instruct installing and running external CLIs (npm -g crossrule, and commands like `cursor --rule-check` / `claude --verify-rules`) — these are reasonable for the task but are external operations that will run code outside the skill. The included AGENTS.md directs agents to write memory to files, which is a behavioral recommendation that can cause persistent storage of data if followed.
Install Mechanism: noteThere is no formal install spec (skill is instruction-only). The README recommends `npm install -g crossrule` (an npm global install). Installing a public npm package is common for this use-case but carries the usual registry/package trust considerations (verify package name/author and version before global install).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Templates and guidance mention using environment variables (e.g., process.env) as a best practice, which is appropriate for project rules but the skill itself does not request secrets.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges. However, the included AGENTS.md advocates writing memory to files and keeping AGENTS.md in workspace; following that could lead to persistent storage of agent data (including anything an agent decides to 'remember'). The skill itself does not enforce persistence, but it encourages practices that create persisted files.