Skillv2.1.0

ClawScan security

Mortgage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 2:16 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description promises multiple mortgage features, but the package only includes a single affordability script and several referenced scripts/docs are missing, which is an incoherence that warrants caution before installing.
Guidance: This package is incomplete: SKILL.md promises many scripts and reference files that are not included. Before installing or enabling the skill, ask the publisher for the complete source or a homepage, or request that they bundle the missing scripts and docs. If you still try it, inspect any additional files the skill writes (it may create ~/.openclaw/workspace/memory/mortgage) and run in a restricted/sandbox environment. Because the agent may attempt to run non-existent scripts, watch for attempts to fetch code from external sources or unexpected network activity. If you need only affordability calculations, consider running the single provided script directly and not enabling the full skill until the package is clarified.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes many capabilities (compare_types.py, prep_documents.py, track_application.py, compare_lenders.py, references/*.md, etc.) but the bundle contains only scripts/calculate_affordability.py and no reference documents. That mismatch means the declared capabilities are not actually present in the package.
Instruction Scope: concernRuntime instructions reference multiple scripts and local storage under memory/mortgage/; only calculate_affordability.py exists. The provided script prints estimates and does not read or write the declared JSON files, so the SKILL.md and the actual runtime behavior diverge. The instructions also assume agent use of several non-existent scripts, which could cause the agent to attempt fetching or executing missing components.
Install Mechanism: okNo install spec (instruction-only + one small script). Nothing is downloaded or installed automatically and there are no external URLs or archives in the package.
Credentials: noteNo environment variables or credentials are requested, which is appropriate. The script will create and use a local directory (~/.openclaw/workspace/memory/mortgage) for storage if other code follows the README — users should note that the skill will create files under the user's home directory if additional scripts are added.
Persistence & Privilege: okalways is false and the skill does not request elevated privileges. Its only filesystem action in included code is to create a directory under the user's home; that is normal for a local-agent utility.