Skillv1.0.0

ClawScan security

Data Retention Mapper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 8:21 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requirements are consistent with a local data‑retention auditing/templating tool — it only needs python3, is instruction-driven, and contains a local script that reads inputs and produces reports; no unrelated credentials or network installs are requested.
Guidance: This skill appears to do what it says: generate structured data‑retention reports from supplied inputs or local directories. Before running: (1) inspect scripts/run.py (it is bundled) if you want to confirm behavior (it only reads files and writes reports, and contains patterns to detect risky snippets), (2) avoid passing top-level or sensitive system paths as the --input to prevent accidental disclosure of unrelated files, (3) use --dry-run or run in an isolated workspace if you are testing, and (4) review any generated output before sharing externally because report contents may include snippets from scanned files. If you need to audit a live system, sanitize inputs or run the skill against a copy of the data.

Review Dimensions

Purpose & Capability: okName/description (data retention mapping) match the included resources: a template, spec, examples, and a Python script that generates structured reports or audits. The only required binary is python3, which is proportionate to the stated purpose.
Instruction Scope: noteSKILL.md limits the skill to read-only, reviewable outputs and instructs running the bundled script or using the templates if execution is unavailable. The included script can recursively scan directories and many file types (markdown, code, CSV, etc.) when given a directory as input — this is reasonable for audits, but it means the agent (or user) must avoid passing sensitive system paths (e.g., /, home directories with secrets) unless intended. The skill does not instruct reading unrelated environment variables or contacting external endpoints.
Install Mechanism: okThere is no install spec (instruction-only plus an included script). No external downloads, package installs, or third-party registries are invoked. This is low-risk from an install perspective.
Credentials: okThe skill requests no environment variables or credentials. The resources and script operate on local files provided as input; nothing requires access to cloud keys or unrelated secrets.
Persistence & Privilege: okalways is false and the skill does not request permanent platform privileges. The script can write an output file (normal for a report generator) but does not modify other skills or system-wide agent settings.