Skillv1.0.0

ClawScan security

Testimonial Collector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 18, 2026, 8:34 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only skill that provides templates and formatting guidance for collecting testimonials; its requirements and instructions are consistent with its stated purpose.
Guidance: This skill is coherent and low-risk technically, but before using it: 1) Always get explicit, recorded permission from the client before publishing a quote (keep approvals). 2) Never add or exaggerate claims or outcomes — follow the skill's 'can't' rules and send edits back for approval. 3) Be mindful of personal data and regional privacy rules (e.g., GDPR); redact or avoid publishing sensitive details. 4) If you plan to automate sending messages, confirm you have the client's consent and that automated delivery is appropriate. 5) Keep your testimonial library secure (access control) and track where each quote is used and when permissions expire.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions all focus on composing asks, questions, draft testimonials, formatting guidance, and a simple tracking spreadsheet — nothing requested or instructed is outside the testimonial-collection purpose.
Instruction Scope: noteSKILL.md is limited to message templates, question sets, formatting rules, follow-up timing, and a suggested tracking sheet. It does not instruct the agent to access system files, environment variables, or external APIs. Note: the instructions give broad discretion to draft and edit testimonials — the doc includes explicit rules against fabricating or exaggerating claims, but the agent/operator must enforce approval/consent before publishing to avoid ethical or legal issues.
Install Mechanism: okNo install spec and no code files — instruction-only skills write nothing to disk during install. This is the lowest-risk install model and matches the skill's simple, advisory purpose.
Credentials: noteThe skill requests no environment variables, credentials, or config paths, which is proportionate. However, the skill's use case involves collecting and publishing people’s statements and possibly personal data; users should ensure they obtain explicit permission and comply with applicable privacy rules before storing or publishing testimonials.
Persistence & Privilege: okSkill flags are default (not always-on, agent-invocable allowed). It does not request persistent privileges or modify other skills or system settings.