Skillv2.1.1

ClawScan security

Free Tool Strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 9, 2026, 8:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is a coherent marketing playbook with a single benign ROI script and no credential or install requirements; its behavior matches its stated purpose.
Guidance: This skill is a coherent marketing playbook with an ROI calculator script. Before installing or running: (1) review any local file the skill is allowed to read (it will look for marketing-context.md) to ensure it contains no secrets or sensitive internal data; (2) if you plan to execute the included Python script, run it in a sandboxed environment you control (it appears benign and offline); and (3) be aware the playbooks recommend actions that involve third-party services (GA4, Search Console, Ahrefs, Hotjar) — those require separate credentials and manual setup, and the skill does not request or store them.

Review Dimensions

Purpose & Capability: okThe name/description (free marketing tools, idea evaluation, design, launch) match the included materials: a detailed SKILL.md, two reference playbooks, and a local ROI estimator script. The script and docs are appropriate for evaluating and launching free marketing tools.
Instruction Scope: noteRuntime instructions are primarily advisory and workflow-driven. One explicit runtime action tells the agent to read marketing-context.md if it exists — this reasonably allows the agent to pick up user-provided marketing context, but it does permit reading a local workspace file. The playbooks reference setting up GA4, Search Console, Ahrefs, outreach, etc., but they do not instruct the agent to access any external credentials or to exfiltrate data. Recommend checking any marketing-context.md file for sensitive content before use.
Install Mechanism: okThere is no install spec or remote download. The skill is instruction-first and includes one local Python script (tool_roi_estimator.py) which contains no network or secret-exfiltration code. No archives or third-party packages are pulled during install.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Although the docs mention external services (GA4, GSC, Ahrefs, Hotjar), they are presented as human-run steps; the skill does not request or embed any unrelated secrets.
Persistence & Privilege: okalways is false, user-invocable is allowed, and there is no indication the skill will modify other skills or system-wide agent settings. It does not request permanent presence or elevated privileges.