Skillv1.0.2

ClawScan security

presales-tech-support · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 23, 2026, 6:20 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only presales technical-support skill; requirements and instructions are coherent with its stated purpose and it does not request credentials or install software.
Guidance: This skill is internally consistent and low-risk because it is instruction-only and asks for no credentials or installs. Before using: (1) avoid pasting sensitive credentials or private customer PII into prompts; (2) understand the agent may recommend running system commands — verify them before execution; (3) expect the agent to reference public web sources (GitHub, vendor errata) but not actual internal company knowledge — verify any claims marked as [推演] or [信息缺失]; (4) ensure the runtime environment actually has the diagnostic tools the skill references (nvidia-smi, IB tools, Prometheus) or the validation steps it suggests may be inapplicable.

Review Dimensions

Purpose & Capability: okThe skill declares itself as a presales technical diagnostic assistant and its SKILL.md contains detailed, role-based instructions for analyzing test scenarios, logs, and stacks. It does not request unrelated credentials, binaries, or config paths — the requested capabilities align with the stated purpose.
Instruction Scope: noteThe runtime instructions ask the agent to compare issues against 'latest vendor Erratum, GitHub active issues, or internal expert knowledge'. That implies network access and/or internal knowledge that the skill does not provision. The skill otherwise confines itself to analyzing user-provided input (test requirements, stack, logs) and recommending commands/validation steps. Watch for potential hallucination when the agent claims to have 'internal expert library' knowledge; the SKILL.md itself requires labeling unknowns as '[信息缺失]' which mitigates this risk if followed.
Install Mechanism: okNo install spec and no code files — instruction-only. Nothing is written to disk and there are no download/install steps to evaluate, which minimizes installation risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. It does expect the environment to have standard diagnostic tools available (nvidia-smi, ib_write_bw, Prometheus metrics), which is reasonable for its domain but is not enforced via declared requirements.
Persistence & Privilege: okalways is false and the skill is user-invocable; it can be invoked autonomously by the agent (platform default). There is no request to modify other skills or persist broad privileges.