Back to skill
Skillv5.3.3
ClawScan security
Universal Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 13, 2026, 10:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent: it requires no installs or secrets and its runtime instructions (perform web fact‑gathering, cite sources, avoid fabrication) match the described purpose of rigorous expert analysis.
- Guidance
- This is an instruction-only skill that enforces doing web searches and citing sources before producing an analysis. It does not ask for secrets or install code, so its requests are proportionate to its purpose. Before enabling it, check what platform search/web-access tools it will actually call and what permissions those tools have (they may perform network requests or use logged-in browser sessions). If you are concerned about exposing account data, test the skill on low-sensitivity queries first and confirm the platform prompts you before granting access for actions the skill labels R3–R5.
Review Dimensions
- Purpose & Capability
- okName/description (fact‑checked, multi‑layered expert analysis) align with instructions that require performing external searches and citing sources. The suggested tools (web_search, baidu-search, web_fetch, web-access) are appropriate for the stated goal.
- Instruction Scope
- noteInstructions force the agent to call a search/fetch tool before analysis and to include detailed citations and confidence labels. This stays within the skill's stated scope, but it does require the platform's search/web-access tools — which may in practice perform network requests or use logged‑in sessions. The SKILL.md also prescribes risk categories and confirmation for higher‑risk actions, which mitigates misuse.
- Install Mechanism
- okNo install spec and no code files; nothing is written to disk. This is the lowest‑risk model for installation.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. It does reference tools that may require platform-managed access (e.g., web-access requiring login), but the skill itself does not ask for user secrets.
- Persistence & Privilege
- okalways:false and no special persistence requested. Autonomous invocation is allowed by platform default but the skill does not request elevated always-on privileges or modifications to other skills.