Back to skill
Skillv1.0.0
ClawScan security
quote-invoice-workbench · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 7:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it uses a small local Python helper and a bundled CSV to produce quotes/invoices, and it does not request unexplained credentials, network access, or unusual installs.
- Guidance
- This package appears safe and auditable: review the bundled pricebook.csv and the small script if you want to confirm behavior, ensure python3 is on your PATH, and when running the script pass only non-sensitive input files. The script will write an output file (default quote.json), so verify outputs before using them externally. If you allow an autonomous agent to run skills, remember the agent could execute the local script with supplied inputs—limit any sensitive data in those inputs and confirm prompts/approvals before letting the agent perform file writes or further actions.
Review Dimensions
- Purpose & Capability
- okName/description match the included artifacts: a pricebook CSV and a Python quote_calculator script. Declared dependency (python3) is exactly what the script requires. Nothing requested is unrelated to producing quotes/invoices.
- Instruction Scope
- okSKILL.md instructs using the local script and resource file, asks for only domain inputs (scope, rates, timeline, taxes), and explicitly warns against fabricating credentials or performing destructive actions. The included script reads a user-supplied JSON and writes an output JSON—behavior consistent with the stated workflow.
- Install Mechanism
- okThere is no install spec and no remote downloads. This is an instruction-only skill with a small local script and resource; nothing is fetched from external URLs and no archives are extracted.
- Credentials
- okNo environment variables, credentials, or config paths are required. The script operates on user-provided files only, which is proportionate to the skill's purpose.
- Persistence & Privilege
- okalways is false and there are no requests to modify other skills or system-wide settings. The skill does write an output file by default (quote.json), which is expected and documented.