Back to skill
Skillv2.1.1
ClawScan security
Product Analytics · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are coherent with a product-analytics helper that reads CSV event data and computes retention, cohorts, and funnel metrics; it does not request credentials, install external code, or perform network I/O.
- Guidance
- This skill appears coherent and implementationally simple, but consider the following before installing: 1) Source is unknown — prefer skills from trusted publishers. 2) The CLI reads CSVs you supply; those files may contain PII or sensitive user data — avoid passing sensitive data unless you trust the environment. 3) The script loads the entire CSV into memory and assumes ISO-like date strings; large files may exhaust memory and malformed dates may raise errors. 4) Output is printed to stdout (no encryption or storage) — logs could be captured by your environment. If you plan to use it in production, review/modify the script for input validation, streaming large files, and any privacy requirements.
Review Dimensions
- Purpose & Capability
- okName/description (product KPIs, cohort/retention, dashboards) align with the included documentation and the CLI Python utility (scripts/metrics_calculator.py) which implements retention, cohort matrices, and funnel conversion from CSV input.
- Instruction Scope
- okSKILL.md limits runtime actions to selecting frameworks, defining KPIs, designing dashboards, and running the included CLI against local CSV files. The instructions do not ask the agent to read unrelated files, environment variables, system configs, or to transmit data externally.
- Install Mechanism
- okThere is no install spec and only an included Python script; nothing is downloaded or extracted from external URLs. This is low-risk for disk persistence or arbitrary code retrieval.
- Credentials
- okThe skill requires no environment variables, no credentials, and no config paths. The included script reads only CSVs provided as command arguments and does not access secrets or network resources.
- Persistence & Privilege
- okSkill is not set to always:true and is user-invocable only. It does not modify other skills or system-wide agent settings; it does not request permanent presence or elevated privileges.