Skillv0.0.2

ClawScan security

HiArthur Product Search and Understanding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 10:28 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (searching Amazon-sourced products and performing deep analysis) matches the instructions (POST requests to hiarthur.com APIs) and it requests no extra credentials or installs — the behavior is internally consistent.
Guidance: This skill is an instruction-only wrapper that sends your search queries and product-location values to hiarthur.com and displays results. Before installing or using it: (1) recognize that all query text and returned analysis will be handled by the remote service (avoid sending PII, account numbers, private images, or other sensitive data); (2) verify you trust the third-party domain (hiarthur.com) and prefer services with a visible homepage/privacy policy if you need stronger guarantees; (3) test with non-sensitive queries first to validate returned data and behavior; (4) if you require auditability, prefer skills that provide client-side code or use well-known, documented APIs you can inspect. There are no incoherent requests (no unexpected credentials or local file access), but the usual privacy caution for any third-party API applies.

Purpose & Capability: okThe SKILL.md documents two HTTP endpoints on hiarthur.com for search and product analysis, which directly implement the described functionality (product discovery, CV + LLM analysis, review synthesis). There are no unrelated environment variables, binaries, or install steps requested that would be out of scope for a remote-analysis service.
Instruction Scope: noteAll runtime instructions are to POST JSON to hiarthur.com endpoints and to follow GUI links hosted on hiarthur.com; the skill does not instruct the agent to read local files, system credentials, or other environment variables. Note: using the GUI/conversation URLs means query text and returned analysis will be handled and potentially displayed by the external service — consider privacy implications.
Install Mechanism: okNo install spec or code files are provided (instruction-only). That minimizes local persistence and disk writes; all processing is performed by the external API service.
Credentials: okThe skill declares no required environment variables, credentials, or config paths, which is proportional to an instruction-only wrapper that delegates work to a remote API. There are no unexplained secret requests.
Persistence & Privilege: okalways is false and the skill does not request special persistent privileges. Model invocation is allowed (the platform default) and appropriate for a skill that performs remote API calls.