Back to skill
Skillv1.0.0
ClawScan security
Olo Deal Memo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 2:53 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only M&A investment memorandum generator whose requested capabilities and instructions are consistent with its stated purpose and it does not request extra credentials or install anything.
- Guidance
- This skill appears internally consistent, but before installing verify: (1) what platform data the agent can access when it asks to 'pull existing DD data from platform' — ensure only approved deal files are available; (2) where 'web research' calls are sent and whether those queries could leak confidential targets (avoid sending sensitive excerpts to public APIs); (3) how generated outputs (PDF, PPTX, Excel) are stored and shared—ensure they follow your org's access controls; and (4) test with non-sensitive example deals to confirm sources are properly cited and numbers reconcile. If you need stricter controls, restrict the skill's data connectors or run it in an environment that prevents external network calls.
Review Dimensions
- Purpose & Capability
- okName and description (investment memorandum generation) align with the SKILL.md: structured memo sections, data-backed analysis, and multiple output formats. There are no declared binaries, env vars, or config paths that are unrelated to producing memos.
- Instruction Scope
- noteInstructions stay within the domain of memo generation: aggregate DD data, RAG over uploaded documents, web research for market context, synthesize narrative and models. The SKILL.md is prescriptive about structure and quality standards. It is slightly high-level about how to 'pull existing DD data from platform' and 'web research' (no endpoints or credentials specified), which is expected for an instruction-only skill but leaves some implementation detail to the host platform.
- Install Mechanism
- okNo install spec and no code files—lowest-risk format. Nothing is written to disk or downloaded by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The data access it asks for (uploaded documents, platform DD data, web data) is proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false and there is no request to modify other skills or system-wide config. Autonomous agent invocation is allowed by default but that is normal and not a red flag on its own.