ClawHub

Capa Officer

AdvisoryAudited by Static analysis on Apr 30, 2026.

Overview

No suspicious patterns detected.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteMedium Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

If the user runs the included script, they are executing local Python code rather than only reading guidance.

Why it was flagged

The package is described as instruction-only while also including a runnable helper script; this is not suspicious by itself, but users should notice the packaging mismatch before running local code.

Skill content
No install spec — this is an instruction-only skill. ... Code file presence: scripts/capa_tracker.py
Recommendation

Review the included script before running it, and run it only against intended CAPA data files in a controlled local environment.