Back to skill
Skillv1.0.1
ClawScan security
Call Scorecard Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 2:03 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and required resources are coherent with its stated purpose (generating call scorecards and related audit reports); it only needs python3, has no external network calls or secret requirements, and its script operates on user-provided local inputs.
- Guidance
- This skill appears to do what it claims: generate structured call scorecards and simple audits using local files. Before running it or letting an agent execute it autonomously, do not point the script at system-level or sensitive directories (e.g., /, home, or directories containing credentials). If you will pass voice transcripts or real call recordings, remove or redact personal data first. The script performs only local file reads and pattern scanning (no network calls), but granting an agent the ability to run it means the agent could read any files you provide as input — restrict inputs accordingly.
Review Dimensions
- Purpose & Capability
- okName/description (build call scorecards) align with included resources: spec.json, template.md, examples, and a local Python script that generates structured reports. Requested binary (python3) is appropriate and proportional.
- Instruction Scope
- noteSKILL.md stays within purpose and explicitly limits high-risk actions. It instructs running the included script or, if execution isn't available, producing output from the provided template/spec. The script can also run directory/csv/pattern/skill audits (it will read files under an input path), so if a user points it at broad or sensitive directories it will read those files — this is expected for audit modes but users should avoid passing system or sensitive paths.
- Install Mechanism
- okNo install spec; instruction-only plus a local Python script. No downloads or external package installs are requested. Only dependency is python3 and standard library per README and SELF_CHECK.
- Credentials
- okNo environment variables, credentials, or config paths are required. The script does not access secrets or network endpoints; it performs local file reads on the user-specified input only.
- Persistence & Privilege
- okSkill is user-invocable, not always:true, and does not request permanent or elevated system presence. It does not modify other skills or system-wide settings.