Back to skill
Skillv2.1.1
ClawScan security
Strategic Alignment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 1:51 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and required inputs align with a strategy-alignment helper; nothing requests unrelated privileges or network access and the included Python script appears to perform only local OKR analysis.
- Guidance
- This skill appears coherent and self-contained: it analyzes local JSON OKR data and provides alignment reports and playbook guidance. Before running: (1) review the full alignment_checker.py if you plan to run it in production to confirm no network calls or unexpected file writes (the provided snippet shows only local analysis), (2) run the script on non-sensitive or redacted sample data first if OKRs contain confidential customer or personnel data, and (3) run it in a restricted environment (virtualenv or isolated runner) if you want defense-in-depth. If you intend to let an autonomous agent invoke this skill, note the agent could run the script with any JSON you provide — ensure you trust automated inputs and the environment the agent uses.
Review Dimensions
- Purpose & Capability
- okName/description (cascade strategy, detect orphan OKRs/conflicts/gaps) match the SKILL.md guidance, the playbook, and the included alignment_checker.py script which analyzes JSON-formatted OKRs. No unrelated credentials, binaries, or installation steps are requested.
- Instruction Scope
- okRuntime instructions are limited to running the included alignment_checker.py and following structured workshop steps and surveys. The SKILL.md does not instruct the agent to read unrelated system files, environment variables, or transmit data to external endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only with bundled script). The single code file is a Python script intended to run locally. There is no download-from-URL or archive extraction step.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The analysis script takes a JSON input file and uses only standard Python libraries — this is proportionate to the described functionality.
- Persistence & Privilege
- okThe skill is not forced-always (always:false). It is user-invocable and allows autonomous invocation (platform default), which is reasonable here since the skill is self-contained and doesn't request broad privileges or credentials.