Back to skill
Skillv2.0.1
ClawScan security
pathway-score-guide-pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 3:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and resource data are coherent with its stated purpose (scoring and guidance for academic/career pathways); it has no network calls, no credential requests, and no install steps that appear disproportionate.
- Guidance
- This skill is internally consistent with its purpose: it expects you to upload or paste your school/unit documents (or provide official links) and then uses built-in scorecards and conservative parsers to produce a scoring report. Before installing or enabling it: (1) be aware it will read any uploaded documents (do not upload sensitive personal data you don't want processed), (2) review the included sample files and run python3 scripts/self_check.py . to verify locally, and (3) remember its estimates are explicitly non-authoritative — always confirm with your school/unit official documents. No network exfiltration or secret access was found, but if you plan to feed highly sensitive records, consider running the scripts in a local sandbox first.
Review Dimensions
- Purpose & Capability
- okName/description (pathway scoring & guidance) match included resources (scorecards, templates, policy references) and helper scripts (score engine, policy normalizer, checklist). There are no unrelated env vars, binaries, or external service credentials requested.
- Instruction Scope
- noteSKILL.md asks the agent to prefer user-uploaded school/unit documents and to use packaged national baselines and representative rules when local files are absent — this is consistent with the stated goal. Note: the design expects the agent to read user-provided documents and provided local CSV/JSON resources; those are privacy-sensitive inputs but expected for the task. The instructions do not direct the agent to fetch remote endpoints or exfiltrate data.
- Install Mechanism
- okNo install spec; skill is instruction- and resource-driven with small local scripts. No downloads, package installs, or archive extraction are present.
- Credentials
- okNo required environment variables, credentials, or config paths are declared or used in the code. The skill operates on local files and provided user inputs only.
- Persistence & Privilege
- okalways is false; the skill does not request permanent presence or modify other skills. Scripts are read-only utilities that parse and emit JSON/YAML-like data.