Back to skill
Skillv1.0.0
ClawScan security
Dewell Bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 6:30 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only description for freight-agent shipping queries and bookings and its declared requirements and instructions are consistent with that purpose.
- Guidance
- This skill is just an instruction/spec for a freight-agent shipping assistant and is internally consistent. Before using it in production note: (1) the skill as provided has no integration code — to actually query carriers or accept bookings you'll need to connect real APIs/services and supply their credentials; only provide those credentials to trusted services and restrict their scope. (2) Booking workflows will involve customer and cargo data (PII, commercial details); ensure data handling and retention meet your privacy and compliance requirements. (3) If an implementation or third-party connector is added later, review its install sources (avoid untrusted downloads) and audit network endpoints it calls.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md content: a freight-agent focused shipping/rate/booking helper. There are no unrelated required binaries, credentials, or config paths that would be unexpected for this purpose.
- Instruction Scope
- okSKILL.md contains feature descriptions, usage flow, and integration suggestions but does not instruct the agent to read local files, access system credentials, or send data to external endpoints. It stays within the expected scope of describing shipping queries and booking workflows.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). Nothing will be downloaded or written to disk by an installer, which is the lowest-risk pattern for this kind of skill.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. That is proportionate: actual integrations (not included) would later require carrier/API keys, but the skill itself does not request them.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent privileges. It does not modify other skills or system-wide settings in the instructions.