Back to skill
Skillv9.9.5
ClawScan security
Performance Reporter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 4:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only SEO/GEO performance-reporting helper whose requested actions and storage are consistent with its stated purpose and it does not request extra credentials or install code.
- Guidance
- This is an instruction-only reporting skill and appears coherent with its stated purpose. Before installing or invoking it: 1) Confirm you are comfortable with the skill writing reports into your agent's memory (memory/monitoring/, open-loops, decisions) since saved reports can contain sensitive metrics. 2) If you connect analytics/Search Console/SEO tools later, provide least-privilege credentials and review what connectors are enabled — the skill itself does not request keys, but connectors will. 3) Because the source is 'unknown' but points to a GitHub repo, you may want to inspect that repo (or the SKILL.md in full) to confirm any additional behavior or connector instructions. 4) Require explicit user confirmation before the skill saves or promotes sensitive data to persistent memory. If you want, I can list concrete questions to ask or produce a short checklist to audit connectors and memory retention policies.
Review Dimensions
- Purpose & Capability
- okName/description map directly to the instructions and reference templates. The SKILL.md outlines report sections, KPI definitions, and templates appropriate for SEO/GEO reporting. No unrelated credentials, binaries, or platform access are requested.
- Instruction Scope
- noteInstructions stay within report generation: define parameters, compile metrics, produce recommendations, and prompt to save results. It reads documentation (CLAUDE.md, state model) and may ask the user for analytics exports when connectors are absent. It directs writing to agent memory paths (memory/monitoring/, memory/open-loops.md, memory/decisions.md) — expected for a reporting skill, but persistent storage can capture sensitive data, so users should confirm acceptance of this behavior.
- Install Mechanism
- okNo install spec and no code files to run — lowest-risk installation model (instruction-only).
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. It references optional connectors but does not require API keys in the manifest; any connector use will depend on separate, explicit tool hookups.
- Persistence & Privilege
- okalways:false (default). The skill writes to its own memory paths for saved reports and handoff notes, which is proportional to its purpose. No indication it modifies other skills or system-wide settings.