Back to skill
Skillv1.5.0
ClawScan security
Battle-Tested Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 28, 2026, 7:44 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and single audit script align with its stated purpose (production-hardening patterns) and do not request unrelated credentials, network access, or privileged persistence.
- Guidance
- This skill appears internally consistent and low-risk, but take normal precautions before running anything that writes to your files: 1) Inspect scripts/audit.sh locally to confirm behavior (it only greps and checks files). 2) Run the audit against a safe/copy workspace first (e.g., a small test directory) to observe output. 3) Do not blindly run the cp snippets — review and merge templates manually or use cp -n/interactive mode to avoid overwriting important files. 4) Running the audit on very large workspaces may be slow because it recurses with grep; run it against targeted paths if needed. If you need higher confidence, ask the author for a signed release or run the script in a sandboxed environment before applying templates to production workspaces.
Review Dimensions
- Purpose & Capability
- okName/description match the contained assets and the included audit script. Required binaries (bash, grep, find, wc) are exactly what the audit.sh script uses. No extraneous credentials, hosts, or unrelated tools are requested.
- Instruction Scope
- noteSKILL.md tells the agent to run scripts/audit.sh against a workspace and optionally copy template assets into the user's workspace. The audit script scans local workspace files (grep/find) for patterns; it does not call external endpoints or attempt to read system-wide secrets. Note: the provided cp snippets will write into the user's workspace and could overwrite files if run without review — review/copy carefully.
- Install Mechanism
- okNo install spec — instruction-only with one small shell script. Nothing is downloaded or written to system directories by the skill itself.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill's operations are limited to user-specified workspace directories.
- Persistence & Privilege
- okalways:false (normal). The skill does not request permanent agent inclusion or modify other skills; autonomous invocation is allowed by default but this skill's content is passive and agent-initiated.