Back to skill
Skillv1.0.0
ClawScan security
referral-program · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and included script are coherent with a referral/affiliate program design purpose and do not request unrelated credentials or install arbitrary software.
- Guidance
- This skill appears coherent and self-contained. Before installing/using it: (1) review marketing-context.md (if present) to ensure it doesn't contain sensitive credentials or PII the skill would read; (2) note the included Python script will run locally if invoked — inspect it (it’s bundled) and avoid feeding it sensitive secrets; and (3) confirm you’re comfortable with the agent reading workspace files named in the instructions. No network calls or external downloads are present in the package.
Review Dimensions
- Purpose & Capability
- okName/description match the provided assets: an in-depth SKILL.md, two reference docs about measurement and mechanics, and a referral ROI calculator script. All requested capabilities (design, optimize, model ROI) are supported by the included materials; there are no unrelated dependencies or credentials.
- Instruction Scope
- okRuntime instructions stay on-theme: gather product/metrics context (or read marketing-context.md if present), design/optimize referral mechanics, and optionally run the included ROI calculator. The only file-read instruction (marketing-context.md) is directly relevant to marketing context and is not a broad or vague instruction to harvest unrelated files or secrets.
- Install Mechanism
- okNo install spec or third-party downloads are present. This is an instruction-only skill plus a local Python script; nothing is fetched from external URLs or written to disk by an installer.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The script and docs do not reference hidden tokens or unrelated cloud credentials; runtime asks only for product/metrics inputs relevant to ROI modeling.
- Persistence & Privilege
- okalways is false and model invocation is allowed (platform default). The skill does not request persistent or elevated privileges, nor does it modify other skills or system-wide agent settings.