Skillv2.1.1

ClawScan security

Cs Onboard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 11:19 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions match its stated purpose (conducting a founder interview and saving a single company-context file); nothing in the package asks for unrelated credentials or external installs, but it does create persistent local context that may contain sensitive information.
Guidance: This skill appears to do exactly what it says: run a structured founder interview and save the answers to ~/.claude/company-context.md for other C‑suite advisor skills. Before installing or using it: (1) be mindful that the saved file will contain potentially sensitive business details—avoid entering secrets (API keys, passwords) or unnecessary PII; (2) consider the trustworthiness of any other skills that might read ~/.claude/company-context.md; (3) after an interview, review the generated file and set restrictive file permissions (e.g., chmod 600) or encrypt/remove it if you don't want long-term persistence; (4) if you need stronger guarantees, ask the skill author whether the file is stored encrypted or whether the skill supports an alternative storage location. If the skill ever requested external endpoints, additional credentials, downloads, or system-wide config changes, treat that as a warning — that would change this assessment.

Review Dimensions

Purpose & Capability: okName/description align with the content: the SKILL.md and templates are entirely focused on running an onboarding interview and generating a company-context file. There are no unrelated env vars, binaries, or install steps requested.
Instruction Scope: noteInstructions explicitly require writing a persistent file at ~/.claude/company-context.md and instruct the agent to capture potentially sensitive company details (revenue ranges, runway, blind spots, etc.). This behavior is coherent with the stated purpose, but it means the skill will persist free-form sensitive data locally and other C-suite advisor skills will be expected to read it.
Install Mechanism: okNo install spec and no code files — instruction-only. Nothing is downloaded or written to disk by an installer beyond the single context file the instructions create, so install risk is minimal.
Credentials: okNo environment variables, credentials, or config paths are requested. That is appropriate for an interview/context-capture skill. Note: the skill relies on user-provided answers which may include sensitive secrets if the user types them.
Persistence & Privilege: noteThe skill writes and enforces a single persistent file (~/.claude/company-context.md) intended as a single source of truth for other advisor skills. It does not declare 'always: true' and does not modify other skills' configs, but the persistent file increases blast radius: any other installed skill that reads this path will gain access to its contents.