Skillv0.1.0

ClawScan security

cooking-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 6, 2026, 4:02 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only cooking helper that matches its description, but it declares broad runtime tool permissions (Bash, Read/Write/Edit) that are unnecessary for its stated purpose and widen its runtime privileges.
Guidance: This skill appears to do what it says (give recipe recommendations and technique help) and has no external installs or credential requests. The main concern is the declared runtime permissions (Bash, Write, Edit) in SKILL.md — a cooking helper does not normally need to execute shell commands or edit files. Before installing, consider: 1) only install if you trust the author or the GitHub repo; review SKILL.md and the referenced files yourself; 2) if your platform lets you control skill permissions, remove or deny Bash/Write/Edit access so the skill can only Read; 3) run it in a sandboxed environment (or with limited agent privileges) if you plan to let the agent invoke skills autonomously; 4) watch for any future updates that add network endpoints, install steps, or credential requests. If you want, I can point out the exact lines that grant Bash/Write/Edit so you can request a slimmer permission set from the maintainer.

Purpose & Capability: noteName and description align with the files and instructions: a recipe/technique recommender. It requests no env vars or external credentials and has no install. However, SKILL.md metadata lists allowed-tools including Bash, Write, and Edit — capabilities not needed for a read-only recipe helper and disproportionate to the stated purpose.
Instruction Scope: okRuntime instructions are self-contained and limited to reading local reference files and producing recipe answers. The SKILL.md does not instruct the agent to read unrelated system files, access secrets, or call external endpoints. It asks the agent to read only the repository's references.
Install Mechanism: okNo install spec and no code files to execute were provided (instruction-only). This minimizes risk — nothing is downloaded or written at install time.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The declared permissions are therefore not tied to any secret access and there are no disproportionate credential requests.
Persistence & Privilege: notealways:false and user-invocable:true are appropriate. However, the allowed-tools list grants the agent potential runtime privileges (running Bash, and writing/editing files) that increase its blast radius if invoked autonomously — the skill itself does not request persistent presence or modify other skills.