Back to skill
Skillv1.0.0
ClawScan security
China Industrial Machinery Sourcing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 3:34 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose (local, read-only industry intelligence served from bundled data.json) and do not request credentials or external installs.
- Guidance
- This package is a local, read-only intelligence bundle: it serves data from the included data.json via simple Python functions and does not contact external endpoints or require credentials. Before installing, consider: (1) verify the data sources and currency if you need authoritative or legally compliant supplier info; (2) do your own supplier due diligence before sharing sensitive company info with contacts in-country; and (3) if you plan to extend the skill (networking, scraping, or contacting suppliers), review additional code for network calls and credential handling because that would materially increase risk.
Review Dimensions
- Purpose & Capability
- okName/description match the implemented functionality: do.py reads structured data.json and exposes read-only query functions for industry overview, clusters, subsectors and sourcing guidance. No unrelated capabilities (cloud access, system administration, or communications) are requested.
- Instruction Scope
- okSKILL.md describes using the packaged data and the available Python API; runtime instructions reference only data.json and the local functions. There are no instructions to read unrelated files, access arbitrary env vars, or transmit data externally.
- Install Mechanism
- okNo install spec; the skill is instruction-plus-local-code only. Files are bundled (do.py and data.json) and there are no downloads, external package installs, or archive extraction steps.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths and its code does not reference secrets or external services. Requested access is proportionate to a read-only data lookup skill.
- Persistence & Privilege
- okSkill is not always-enabled, does not modify other skill configurations, and has no autonomous privilege escalation indicators. It runs as a normal invocable skill with a limited local surface.