Skillv1.1.0

ClawScan security

Compliance Officer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 4, 2026, 4:32 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only compliance reviewer that uses bundled rule files and optional URL fetching; its declared requirements and runtime instructions are consistent with its stated purpose.
Guidance: This skill appears coherent and limited to compliance review using the bundled rule files and optional URL fetching. Before installing: (1) confirm you are comfortable granting network access (the skill may fetch user-supplied URLs); (2) avoid pasting sensitive personal health information (PHI) or other secrets into the tool unless you have appropriate agreements in place — HIPAA-related checks may process content you submit; (3) verify the claimed source repository (the SKILL.md points to github.com/QCME-AI/agentic-compliance-rules) if provenance matters to you; and (4) treat outputs as pre-review guidance only — have your legal/compliance team review final decisions.

Purpose & Capability: okThe name/description (marketing/compliance review) match the shipped assets: structured rule files for FTC, HIPAA, GDPR, SEC, CCPA, COPPA, and CAN-SPAM and an instructions document describing how to use them. No unrelated binaries, credentials, or config paths are requested. The claw.json network permission aligns with the SKILL.md note that URL fetching may be needed.
Instruction Scope: okRuntime instructions confine the agent to loading local rule JSON files, reasoning about them, and optionally fetching a user-provided URL (privacy policy pages). The instructions do not ask the agent to read system files, access credentials, or post content to arbitrary endpoints. One minor note: the skill accepts images but does not specify OCR steps — that is likely intended to rely on the host agent's vision capabilities rather than adding new disk/exec behavior.
Install Mechanism: okThere is no install spec and no code files to install or execute; this is instruction-only with bundled reference data. This is the lowest-risk install profile.
Credentials: okThe skill requests no environment variables, no keys, and no config paths. The only declared permission is network (to fetch user-supplied URLs), which is proportional to the feature set.
Persistence & Privilege: okThe skill is not force-included (always:false), makes no claims about modifying other skills or system settings, and does not request elevated or persistent privileges.