Skillv1.0.0

ClawScan security

Payroll · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 9, 2026, 8:06 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only payroll guidance tool and its requested resources and instructions are consistent with that purpose.
Guidance: This skill is an instruction-only payroll advisor and appears internally consistent. It does not install code, request credentials, or call external endpoints by itself. However: (1) do not paste full SSNs, bank routing/account numbers, or other highly sensitive PII into an AI chat unless you trust where that conversation is stored and who has access; use placeholder or masked values when prototyping. (2) Because the skill’s source/owner is not clearly verifiable in the registry metadata, avoid using it to perform actual payments, file returns, or take irreversible actions — use a trusted payroll provider or your accountant for payments and filings. (3) If you plan to supply real payroll data to an agent that has additional platform permissions (file I/O, external API access), review those agent permissions and logs before doing so. If you want stronger assurance, ask the publisher for provenance (who maintains it, homepage, support contact) before relying on it for production payroll.

Purpose & Capability: okName, description, and declared capabilities match the SKILL.md guidance (payroll setup, classification, tax calculations, calendars, year‑end tasks). No unrelated environment variables, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md contains only guidance, checklists, and prompts for payroll tasks; it does not instruct reading system files, loading credentials, or contacting external endpoints. Note: the skill expects the user to provide sensitive payroll data (SSNs, bank/account info, wage history) during conversations — the skill does not itself request environment credentials, but user-supplied PII is expected and should be handled carefully.
Install Mechanism: okNo install spec and no code files — instruction-only. Nothing is written to disk or fetched during install, minimizing install-time risk.
Credentials: okNo environment variables, secrets, or external credentials are required. This is proportionate for a guidance-only payroll skill. Reminder: the skill may prompt users to enter highly sensitive personal and financial data during use; that is expected for payroll but warrants caution.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system configuration according to provided metadata.