Back to skill
Skillv2.1.1
ClawScan security
Campaign Analytics · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 4:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and requirements are consistent with a local marketing analytics toolkit that runs deterministic Python scripts on user-provided JSON; it does not request secrets, install external packages, or reference external endpoints.
- Guidance
- This appears to be a locally-run analytics toolkit. Before installing or running: (1) review the full source of all three scripts (campaign_roi_calculator.py and funnel_analyzer.py were truncated in the package preview) to confirm there are indeed no network calls or hidden behavior; (2) run the tools on synthetic or non-sensitive sample data first; (3) avoid feeding production PII/credentials into the sample JSON unless you’ve inspected the code; (4) run in an isolated environment or container if you want extra safety. If you need help auditing the two remaining scripts for network calls or file-system access, share their sources and I can review them.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, templates, reference docs, sample data, and the three Python scripts all align on performing attribution, funnel, and ROI analysis. Nothing in the manifest or instructions requests unrelated resources or credentials.
- Instruction Scope
- okSKILL.md instructs running local Python CLI scripts against user-supplied JSON and describes input/output formats; it does not ask the agent to read unrelated system files, access environment credentials, or send data externally. The shown script (attribution_analyzer.py) operates only on the input JSON and uses the standard library.
- Install Mechanism
- okNo install spec is provided (instruction+scripts only). That is proportionate for a small CLI toolkit and limits the skill from pulling arbitrary remote code during install.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no config paths. The SKILL.md and visible script do not reference secrets or external APIs, so requested environment access is minimal and appropriate.
- Persistence & Privilege
- okalways is false (no forced presence). The skill is user-invocable and can be called autonomously (platform default), which is expected for a utility. It does not request system-wide configuration changes or modify other skills.