Skillv1.0.0

ClawScan security

ab-test-setup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 3:50 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are consistent with an A/B test design helper — it contains documentation and a local Python sample-size calculator and does not request unrelated credentials or install remote code.
Guidance: This skill appears coherent and appropriate for designing A/B tests. Before installing: (1) Review the included Python script if you plan to run it locally — it uses only stdlib and has no network calls, but running code always carries execution risk; (2) be aware the skill will read '.claude/product-marketing-context.md' if that file exists in the agent workspace — ensure that file does not contain unshared secrets or sensitive data you don't want the skill to use; (3) because the skill can be invoked autonomously by the agent (normal default), consider who can trigger the agent and what workspace files are present. If you want an extra safety step, run the Python calculator in a sandboxed environment or inspect the repository copy before executing any scripts.

Purpose & Capability: okName/description (A/B test design) match the included artifacts: a comprehensive SKILL.md, reference docs, test templates, and a sample_size_calculator.py. Nothing requested (no env vars, binaries, or unrelated config paths) is disproportionate to the stated purpose.
Instruction Scope: okRuntime instructions are limited to experiment design guidance and a single local context read: '.claude/product-marketing-context.md' if present. That file path is reasonable for using pre-provided product context; there are no instructions to scan system files, read unrelated credentials, or transmit data to external endpoints.
Install Mechanism: okNo install spec (instruction-only skill) and a single included script. The Python script is stdlib-only and contains no network/download behavior. No archives or external installers are used.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths beyond an optional local product-context file. There are no secrets requested or unexplained credential needs.
Persistence & Privilege: okalways is false and the skill does not request persistent/privileged presence or modify other skills. Autonomous invocation is allowed by default (platform normal) but not combined with other concerning privileges.