Back to skill
Skillv1.0.1
ClawScan security
Cost · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 8:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only cost-management assistant whose resources and runtime instructions are consistent with its stated purpose and do not request extra credentials or installs.
- Guidance
- This skill appears internally consistent and low-risk because it is documentation-only and asks for no secrets or installs. Before relying on its recommendations, verify the provenance (author/homepage and version inconsistencies noted), test outputs on non-critical decisions, and avoid pasting sensitive financial credentials or proprietary datasets into prompts. Treat its suggestions as advisory — validate models and numbers with your accounting tools or a human accountant before taking high-impact actions.
Review Dimensions
- Purpose & Capability
- okThe name, description, and included documents all describe cost visibility, cost-structure analysis, pricing, vendor management and related advisory tasks. There are no unexpected requirements (no credentials, binaries, installs) that would be disproportionate for this purpose. Minor metadata inconsistencies exist (skill.json lists homepage and author; registry metadata said homepage none; skill.json version is 1.0.0 while registry shows 1.0.1) but these are bookkeeping issues rather than security problems.
- Instruction Scope
- okSKILL.md, examples.md, and heartbeat.md contain only advisory prompts, checklists, modeling guidance and example prompts. The instructions do not tell the agent to read arbitrary system files, access environment variables, call external endpoints, or exfiltrate data. They remain within the domain of financial advice and modeling.
- Install Mechanism
- okNo install spec and no code files beyond documentation — the skill is instruction-only, which is the lowest-risk install profile. Nothing is downloaded or written to disk by an install step.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. That matches the advisory/documentation nature of the content and is proportionate to the stated functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable with normal autonomous invocation allowed — this is the platform default and acceptable for an advisory skill. The skill does not request persistent system privileges or to modify other skills.