Skillv1.1.0

ClawScan security

SWOTPal SWOT Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 12:46 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are consistent with a SWOT analysis tool: it only asks for a single API key for its pro mode and otherwise uses local prompt templates; nothing requested appears disproportionate or unrelated to its stated purpose.
Guidance: This skill appears coherent: if you set SWOTPAL_API_KEY you are giving the skill permission to call swotpal.com and access your saved analyses under that account, so only provide a key you trust to that service. If you do not set a key the skill runs locally using prompt templates — local generation can produce plausible-sounding but potentially inaccurate assertions (hallucinations), so verify facts (financials, recent events) before using outputs in reports. Review the privacy/security practices of swotpal.com if you plan to enable Pro mode and avoid sharing other unrelated credentials with the skill.

Purpose & Capability: okThe skill is a SWOT/competitive-analysis tool and only declares a single credential (SWOTPAL_API_KEY) used for the described Pro API mode and cloud sync. No unrelated binaries, config paths, or extra credentials are requested.
Instruction Scope: okSKILL.md instructs the agent to either (a) call swotpal.com endpoints using the provided API key or (b) fall back to a local prompt template. It does not direct the agent to read unrelated files, other environment variables, or to exfiltrate data outside the documented API. The templates ask the model to cite market data (a quality requirement) but this is a content expectation rather than an instruction to access external systems.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by an installer, which is the lowest-risk pattern.
Credentials: okOnly SWOTPAL_API_KEY is required and is reasonably justified for Pro mode (Authorization: Bearer header to swotpal.com). There are no additional secrets or unrelated environment variables requested.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills' config, and only operates in-session. Autonomous invocation (model-invocation enabled) is the platform default and not by itself a concern here.