Skillv1.0.0

ClawScan security

Competitor Message Differ · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 16, 2026, 5:59 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with its stated purpose (local competitor messaging analysis); it reads local inputs and produces structured reports but does not attempt network exfiltration or request unrelated credentials.
Guidance: This skill appears to do what it says: locally analyze competitor text and produce structured findings. Before running: do not point the script at system, home, or other directories that may contain secrets or unrelated private files (e.g., ~/.ssh, /etc, project folders with credentials). Prefer providing sanitized examples or a curated directory of competitor materials. Use --dry-run or run against examples first. Review any generated output before sharing externally. There is no network exfiltration in the code, but the script will include text from files you give it in its output, so treat inputs as potentially sensitive.

Purpose & Capability: okName/description (compare competitor messaging) align with included resources: a template, spec, examples, and a Python script that builds structured reports and audits directories/files. Requiring only python3 is proportionate.
Instruction Scope: noteSKILL.md instructs the agent to use the bundled script or fall back to the template. The script can read files and directories provided via --input and will scan file contents (including .md, .py, .sh, .json, .csv, etc.) and produce reports. This is expected for an audit/analysis tool, but it means the skill will read arbitrary user-specified local files and could include sensitive content in its outputs if those files are pointed at. The skill does not instruct network calls or hidden data exfiltration.
Install Mechanism: okNo install spec is provided (instruction-only). The only runtime requirement is python3 and the bundle includes a local script. No downloads, package installs, or external URLs are used.
Credentials: okNo environment variables, credentials, or config paths are requested. All processing is local and driven by user-provided inputs.
Persistence & Privilege: okSkill is not marked always:true and does not request persistent platform privileges. It does not modify other skills or system-wide settings.