Skillv1.0.0

ClawScan security

Verify Claims · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 11, 2026, 9:26 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent with a fact‑checking workflow: it only describes web searches of public fact‑checkers, asks no secrets or installs, and does not attempt to access unrelated system resources.
Guidance: This skill appears to do exactly what it says: it will search public fact‑checking websites and present cross‑referenced findings. Before using it, consider that the agent will send claim text and search queries to external search engines and third‑party fact‑checking sites (including translations), so do not submit private, sensitive, or personally identifiable content if you do not want it exposed. Also be aware fact‑checks can be behind paywalls, dated, or regionally limited — ask the agent to cite exact fact‑check URLs and publication dates, and to include a summary of each source's conclusion and confidence level.

Purpose & Capability: okThe name/description match the runtime instructions: the SKILL.md describes selecting and querying fact‑checking services and cross‑referencing results. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteInstructions direct the agent to fetch the Wikipedia list of fact‑checking websites and to run targeted site: searches (DuckDuckGo) against selected fact‑checkers. This is appropriate for the stated purpose, but it requires sending user content (search queries, claim text, translated terms) to external search engines and third‑party sites — which can expose sensitive user data if the user shares private material. The skill does not instruct reading local files or environment variables beyond asking for user language/location, which is proportional.
Install Mechanism: okInstruction‑only skill with no install spec and no code files. Low install risk: nothing is written to disk and there are no downloads or package installs.
Credentials: okThe skill requests no environment variables, credentials, or config paths. It may ask for user language/location for relevance — that is reasonable and proportional to its purpose.
Persistence & Privilege: okalways is false and the skill has no install steps or hooks that would persist or modify agent/system configuration. Autonomous invocation is allowed (platform default) but is not combined with elevated privileges or broad credential access.