Skillv1.0.0

ClawScan security

brand-guidelines · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 3:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only brand-guidelines skill whose instructions, required artifacts, and scope align with its stated purpose and it requests no credentials or installs no code.
Guidance: This skill is internally consistent and low-risk: it is an instruction-only brand-guidelines helper that reads local project context if present and includes a bundled reference for Anthropic's identity. Before installing, confirm you are comfortable the agent may read a workspace file named .claude/product-marketing-context.md (it could contain sensitive strategy or drafts). If you do not have permission to use Anthropic-branded assets, be cautious about applying those guidelines to published materials. Also consider whether you trust any referenced companion skills (marketing-context, canvas-design) because the skill suggests invoking them when available.
Findings: [regex-scan-none] expected: Scanner found no code or regex hits. This is expected because the skill is instruction-only (only SKILL.md and reference docs).

Purpose & Capability: okName/description (brand guidelines, color/typography/logo/tone) match the SKILL.md and the included reference material. The skill does not request unrelated binaries, environment variables, or external services, which is proportionate for a documentation/audit helper.
Instruction Scope: noteThe instructions direct the agent to read a local file (.claude/product-marketing-context.md) if present and to prefer an internal 'marketing-context' skill when available. Reading a workspace marketing-context file is coherent for tailoring brand guidance, but it does mean the skill will access project-local files (potentially sensitive marketing strategy). There are no instructions to call external endpoints or read other system-wide secrets.
Install Mechanism: okNo install spec and no code files — instruction-only. Nothing will be written to disk or downloaded during install, minimizing supply-chain risk.
Credentials: okNo environment variables, credentials, or config paths are required. The skill does include Anthropic brand specifics in its bundled reference, but that is content, not a requested secret.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges. The skill is user-invocable and may be called autonomously by the agent (platform default) but it does not combine that with broad credential access or other high-privilege requirements.