Back to skill
Skillv1.0.1
ClawScan security
Compliance Readiness · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 23, 2026, 7:01 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only compliance assessment tool whose declared behavior, required inputs, and runtime instructions are consistent with its stated purpose and do not request extra system access or credentials.
- Guidance
- This instruction-only skill appears internally consistent and carries low technical risk because it asks users for information and produces a report without requesting credentials or installing code. Before installing or relying on its output: (1) verify the vendor/source since the registry entry lacks a public homepage — confirm trust and support channels; (2) avoid pasting sensitive secrets or PHI directly into the agent — feed only the minimum required, or anonymize data; (3) treat the generated compliance recommendations as advisory and have legal/compliance teams review them before taking action; (4) if you plan to integrate this into automated workflows, audit any agent that will invoke it for appropriate access controls.
Review Dimensions
- Purpose & Capability
- okName, description, README and SKILL.md all describe an AI compliance-readiness assessment and the inputs/outputs requested are consistent with that purpose. No unrelated credentials, binaries, or config paths are required. Minor note: registry metadata lists an owner ID and README names AfrexAI/Clawhub but there is no homepage URL in the registry entry — that reduces third-party traceability but does not conflict with functionality.
- Instruction Scope
- okSKILL.md only instructs the agent to gather user-provided organizational inputs, score 8 dimensions, and produce a report. It does not instruct reading local files, accessing environment variables, contacting external endpoints, or transmitting data to unknown destinations.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest-risk install model; nothing is written to disk or fetched at install time.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill does not ask for secrets or system-level access, which is proportionate to an assessment/reporting skill.
- Persistence & Privilege
- okalways:false and user-invocable:true (defaults). The skill does not request persistent presence or privileged modification of other skills/config; autonomous invocation is not disabled but that is the platform default and there are no other red flags increasing risk.