Back to skill
Skillv1.0.0
ClawScan security
Startup Info · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 28, 2026, 2:08 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill whose requests (web searches, fetching public pages) and template match its stated purpose and it does not request credentials, installs, or unrelated system access.
- Guidance
- This skill is coherent and low-risk in itself, but before enabling it: confirm which browsing/search provider the agent will use and what that provider can access (browser tool may have its own API keys or web access policies); expect some blocked pages (LinkedIn, Crunchbase) and verify sources cited in the output since the prompt allows relying on snippets; if you plan to research private or sensitive startups, be aware of legal/terms-of-service constraints for scraping certain sites.
Review Dimensions
- Purpose & Capability
- okName/description (investor-style briefings) align with the instructions: the SKILL.md explicitly instructs the agent to perform web searches, fetch company home/about pages, and extract funding/founder/traction/competitor data. The skill declares no binaries, env vars, or installs—nothing extraneous is requested for the stated task.
- Instruction Scope
- okRuntime instructions are narrowly scoped to web searches, limited follow-up searches (no more than 2 rounds), page fetching, and producing a fixed briefing template. The prompt does not ask the agent to read local files, environment variables, or other system state. One minor operational note: it permits using search snippets when sites block fetching (expected for blocked pages like LinkedIn/Crunchbase).
- Install Mechanism
- okThere is no install spec and no code files—this is instruction-only. That minimizes disk writes and executable installs and is proportionate to the described functionality.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. It relies on the agent's web-search/browsing capability (which may itself be backed by provider-specific API keys), but the skill does not request unrelated secrets or elevated access.
- Persistence & Privilege
- okalways:false (not force-included). disable-model-invocation:false (normal—agent may invoke it autonomously). The skill does not request persistent system-wide changes or access to other skills' configs.