Skillv1.0.0

ClawScan security

China Home Appliances Sourcing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 4:56 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, data, and runtime instructions are consistent with a read-only industry intelligence guide and do not request unrelated credentials, network access, or elevated privileges.
Guidance: This skill appears to be a self-contained, read-only industry guide backed by local JSON data and a small Python wrapper. Before installing, consider: 1) review data.json yourself to confirm the data and any attribution/ licensing you need; 2) if you plan to use the skill for procurement decisions, independently verify supplier-level details (the skill states it contains cluster-level, not factory contact, data); 3) run the included do.py in a sandbox or isolated environment if you want to inspect behavior; and 4) if you need features that contact external services (real-time trade data, verified supplier contacts), expect those to require additional, explicit integrations and credentials — this skill does not provide them.

Purpose & Capability: okName/description (China home appliances sourcing) align with the actual assets: an internal data.json and a small do.py API that exposes read-only lookups and search over that data. Nothing in the manifest or code requests unrelated capabilities or credentials.
Instruction Scope: okSKILL.md describes read-only usage and references the local data file and do.py functions. The provided instructions do not tell the agent to access other system files, network endpoints, or hidden credentials; they stick to the stated sourcing guidance and local data.
Install Mechanism: okNo install spec is provided (instruction-only skill); code is included in the bundle and reads a local JSON. There are no downloads, external install URLs, or archive extraction steps.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. The code does not read environment variables or request secrets, which is proportionate for a static data/reporting skill.
Persistence & Privilege: okalways is false and the skill does not modify other skills or system settings. It has normal, non-persistent presence and does not request elevated agent privileges.