Skillv1.0.1

ClawScan security

Real Estate Master · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 6:32 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and included files are coherent with the stated purpose (off‑plan group‑buy equity and funding simulation) and do not request unrelated credentials, external installs, or network access.
Guidance: This skill appears to be what it says: a local equity and funding simulator. Before using, review any config JSON you feed it to ensure it contains no sensitive credentials or personal data you don't want processed. If you plan to publish per‑investor views or implement sharing links, note the skill contains no server or token management — you'll need to build a secure delivery mechanism (HTTPS endpoints, access controls). Run the scripts in a controlled environment with a known Python interpreter, and validate outputs against a small test dataset to ensure formulas meet your legal/financial requirements (especially because 'inv1' is treated as the admin/cash pool contributor in the current logic). If you need networked reporting, audit and add secure transport and auth rather than exposing raw config files.

Purpose & Capability: okName, description, and included files (two Python scripts, config sample, references) align with a simulation/equity calculator for group buys; declared runtime requirement (python3) is appropriate and proportional.
Instruction Scope: noteSKILL.md instructs running the included scripts against a local JSON config and documents simulation and sharing workflows. It mentions 'dash/<token>' routes as a developer note but explicitly states the skill does not run a web server; there is no instruction to read unrelated system files, environment variables, or to transmit data to external endpoints. Note: wording around generating 'unique sharing links' is informative only — no link‑generation or network code is provided.
Install Mechanism: okNo install spec; scripts are bundled with the skill and executed locally with python3. No downloads or archive extraction from external URLs are required.
Credentials: okThe skill requests no environment variables or credentials. The scripts operate on a user-provided JSON config and do not access secrets, system config paths, or networked services.
Persistence & Privilege: okSkill is user‑invocable, not always‑on, and does not modify other skills or request persistent platform privileges. Autonomous invocation is permitted by platform default but not combined with other risky properties.