Back to skill
Skillv1.0.4
ClawScan security
CloudCreate Tools · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 5:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and scope match its stated purpose (building CloudCreate.ai deep links and suggesting local/production usage); it is an instruction-only skill that asks for no credentials or installs.
- Guidance
- This skill appears coherent and safe for its stated purpose. Before acting on its recommendations: (1) Confirm whether you want a production link or to run the app locally. (2) If you or the agent will run commands (npx, git clone, npm install, npm run dev), verify the GitHub repo and packages to avoid executing untrusted code. (3) Running the UI locally gives a stronger privacy boundary, but running npm/npx will execute third-party code — only proceed if you trust the source. No credentials or persistent privileges are requested by the skill.
Review Dimensions
- Purpose & Capability
- okName/description claim (enumerate CloudCreate.ai tools and build shareable links) matches the SKILL.md content: path catalog, URL construction rules, CLI usage, and local/self-host guidance. Nothing requested or documented is unrelated to linking or discovery.
- Instruction Scope
- noteSKILL.md instructs the agent to prefer the official CLI (npx @cloudcreate/cli) and, when suggesting a self-hosted option, to clone the project's GitHub repo and run npm dev/preview. These actions are consistent with documenting how to get or open the UI, but they involve running third-party code (npx / npm install / running a local dev server) which is expected for local hosting but should be performed only after the user approves and verifies sources.
- Install Mechanism
- okThere is no install spec for the skill itself (instruction-only). The SKILL.md recommends using existing tools (npx, npm) which are external to the skill; the skill will not download or write files on its own.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The SKILL.md does not ask for secrets or unrelated credentials.
- Persistence & Privilege
- okFlags show default autonomy settings and always:false. The skill does not request persistent presence, nor does it instruct modifying other skills or global agent settings.