Back to skill
Skillv2.2.0
ClawScan security
Insurance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 4:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its described purpose (local-only insurance record storage and simple queries); nothing in the package requests unrelated credentials, external network access, or elevated privileges.
- Guidance
- This skill appears to be what it says: a local-only organizer that writes JSON files and prints JSON responses. Before installing, consider: (1) the skill will create and write files by default to ~/.openclaw/workspace/memory/insurance (you can set WORKSPACE_ROOT to change this); (2) it will store sensitive insurance details locally—ensure the directory permissions and backups meet your privacy needs; (3) running the skill executes bundled Python scripts, so only install if you trust the code bundle (you can inspect the files shown here). No network or external credentials are required.
Review Dimensions
- Purpose & Capability
- okName/description describe a local insurance record manager and the included scripts (add/list/check/generate/log) implement exactly that functionality; no unrelated services, credentials, or external APIs are requested.
- Instruction Scope
- noteSKILL.md instructs running the included local scripts only and the scripts do that. One minor mismatch: SKILL.md says files are stored under memory/insurance/, while the code actually stores them under WORKSPACE_ROOT/memory/insurance (WORKSPACE_ROOT defaults to ~/.openclaw/workspace). The code does not read other system artifacts or transmit data externally.
- Install Mechanism
- okNo install spec or external downloads; this is an instruction+code bundle where the agent runs bundled Python scripts. No archives or third-party installers are fetched.
- Credentials
- noteThe skill declares no required environment variables or credentials. The only environment usage is an optional WORKSPACE_ROOT environment variable to override the default workspace path; this is reasonable and not a secret requirement.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or global agent configuration. It persists only its own JSON files under its workspace directory.