Back to skill
Skillv1.1.0
ClawScan security
Docs Organization · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 4:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions align with its purpose of reorganizing project documentation; it is instruction-only, requests no credentials, and has no install step — but follow safe practices because some guidance involves moving or deleting files.
- Guidance
- This skill appears to do what it says (doc templates and migration steps) and doesn't ask for credentials or install code. However, many recommendations involve moving or deleting files (archives, logs, AI chat exports, slimming CLAUDE.md). Before running any automated reorganization: (1) make a repository snapshot or branch (or run on a copy), (2) require explicit confirmation for destructive steps, (3) protect any `.env` or secret files from accidental deletion, and (4) review suggested edits (especially CLAUDE.md trimming) to avoid losing required operational or security info.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md: templates and migration checklists focus on assessing repo size, recommending directory layouts, and slimming large CLAUDE.md/AGENTS.md files. No unrelated binaries, env vars, or credentials are requested.
- Instruction Scope
- noteSKILL.md is an instruction-only guide that recommends running simple shell checks (e.g., `ls | wc -l`, use `rg`) and performing file operations (relocate/archive/delete screenshots, logs, AI exports, move docs, extract reference material). These actions are consistent with doc reorganization but can be destructive if executed automatically — the agent should confirm and/or operate on a copy/backups before making changes.
- Install Mechanism
- okNo install/spec or code files are present (instruction-only). This minimizes installation risk — nothing is downloaded or written by the skill itself.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. Examples mention `.env` as a project artifact but do not request access to secrets. No disproportionate credential access is required.
- Persistence & Privilege
- notealways:false and user-invocable; the skill can be invoked autonomously per platform defaults (disable-model-invocation:false). Because instructions include file moves/deletions, autonomous execution could modify a repo — this is not inherently wrong, but you should ensure agent prompts/confirmation before destructive actions.