Skillv1.0.3

ClawScan security

Python Code Tester · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 2:02 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code, instructions, and files are consistent with a tool that searches a Python project, generates tests, runs them, and attempts fixes; it doesn't request credentials or contact unknown endpoints, but it will install packages, write files, and modify project code so caution is warranted.
Guidance: This skill appears internally consistent with its purpose, but it will: (1) install Python packages via pip, (2) write test data to references/, create logs under scripts/log/, and create release copies and overwrite project files with fixes. Before running, review scripts/main.py and run.sh, back up your repository, and consider executing the skill in an isolated environment (container or VM). Inspect generated tests and any proposed code changes before merging them into your main codebase. If you do not want automatic code modification, run the tool in a dry-run mode or remove/guard the sync/overwrite step.

Review Dimensions

Purpose & Capability: okThe skill name/description (Python code testing) matches the included files and behavior: scripts/main.py implements project search, test-case generation, test execution and repair workflows; run.sh and requirements.txt support running tests. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md and the code instruct the agent to search the project source, create test data under references/, write test scripts under scripts/, save logs to scripts/log/, and update project files with fixes (scripts/release/v{n}/ then sync into project). This is in-scope for a testing/fixing tool but it grants the skill broad filesystem write and code-modification authority. The instructions also allow fetching external datasets when needed.
Install Mechanism: noteThere is no platform install spec (instruction-only), but run.sh will pip install packages from requirements.txt (pytest, numpy, pandas). Installing PyPI deps is expected for this task but is an action the user should review before running. No downloads from unknown URLs or archive extraction were observed.
Credentials: okThe skill does not declare or require environment variables, credentials, or config paths. Its filesystem and network needs (writing references/logs, optionally downloading datasets) are proportional to the stated purpose. No secrets or unrelated external service tokens are requested.
Persistence & Privilege: notealways:false and normal model invocation are set. The skill will create directories and modify project files (release copies and then sync fixes into the project), which is expected for an auto-fixing tester but is a privileged action — it can alter your codebase when run.