Back to skill
Skillv1.0.0
ClawScan security
marketing-ops · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a marketing orchestration router — there are no unexpected installs, credentials, or external network calls.
- Guidance
- This skill appears to do what it claims: route marketing requests and provide a small local campaign analysis tool. Before installing or running: (1) review any marketing-context.md or campaign JSON you provide for sensitive data (API keys, tokens, or PII), since the skill will read local files you point it at; (2) note that the skill can be invoked by the agent per platform defaults — if you don't want autonomous runs, adjust agent policy; (3) if you expect network integrations, confirm additional skills it routes to are trustworthy (this router delegates work to other marketing skills).
Review Dimensions
- Purpose & Capability
- okThe skill is described as a marketing operations router and includes routing rules in SKILL.md plus a small campaign_tracker.py for analyzing campaign task status. The presence of a local campaign tracker script is appropriate and proportional to the described purpose.
- Instruction Scope
- okRuntime instructions are narrowly scoped to routing marketing queries and recommending/reading a local marketing-context.md file when present. The instructions do not ask the agent to collect unrelated system data, read arbitrary configuration, or send data to external endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only), and the included Python script is small and self-contained. There are no downloads, package installs, or archive extraction steps that would write arbitrary code to disk beyond the included file.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The Python script reads only a provided JSON file (or uses a built-in sample) and does not access environment secrets or external services.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or system-wide settings. It is user-invocable and may be invoked autonomously per platform defaults, which is expected for a router/orchestration skill.