Skillv1.3.0

ClawScan security

McKinsey-Style Meeting Brief Copilot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 10:10 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill whose inputs, outputs, and runtime instructions are coherent with its stated purpose (creating consulting-style meeting briefs); it requests no credentials, installs nothing, and contains no code.
Guidance: This skill is internally consistent and doesn't request credentials or install anything. Before using it, remember: 1) it may be asked to 'infer' missing context and could produce plausible-sounding assumptions — verify any factual claims, especially about people or companies; 2) do not paste highly sensitive or regulated information (SSNs, passwords, proprietary code) into prompts unless you're certain your platform's model handling and storage meet your privacy requirements; and 3) review generated follow-ups and action items for factual accuracy and tone before sending to real recipients.
Findings: [regex_scan_no_findings] expected: The repository is instruction-only and contains no code files, so the regex-based scanner had nothing to analyze. This absence of findings is expected for an instruction-only skill.

Purpose & Capability: okThe name and description (meeting briefs, follow-ups, action items) match the SKILL.md content. The skill requires no binaries, env vars, or configs and does not attempt to access unrelated services — the requested capabilities are proportionate to the stated purpose.
Instruction Scope: noteThe SKILL.md is a set of instructions for formatting and producing meeting briefs. It explicitly allows the agent to 'infer reasonably and proceed' when context is missing; this is coherent with the goal but introduces a non-security risk: the agent may make reasonable assumptions or fill gaps (potentially producing hallucinated facts). There are no instructions to read system files, environment variables, or send data to external endpoints beyond normal model/API usage.
Install Mechanism: okNo install spec and no code files — instruction-only. This is low-risk: nothing is written to disk and no external packages are fetched.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate credential or environment access requested.
Persistence & Privilege: okalways is false and the skill does not request persistent system presence or modify other skills. Model invocation is enabled (platform default), which is expected for a conversational skill; this alone is not flagged as a problem.