Back to skill
Skillv2.3.7
ClawScan security
Dispute Letter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with a local dispute-letter/template generator; it writes user data to a per-user data directory but does not request credentials or contact external services.
- Guidance
- This skill appears to be a straightforward local template generator. Before installing, note: (1) it will create and write files under ~/.local/share/dispute-letter (or the directory you set with DISPUTE_LETTER_DIR), including data.log and history.log — avoid putting sensitive personal data there if you don't want it stored; (2) SKILL.md mentions commands (employer, insurance, bank, template) that are not implemented in the shipped scripts, so expect some documentation mismatch; (3) there are no network calls or credential requests, so it does not exfiltrate data by design, but you should still inspect or run the scripts in a safe environment if you have doubts about origin. If you need auditability, verify the files locally and consider running them in a sandbox or reviewing their output before using real personal identifiers.
Review Dimensions
- Purpose & Capability
- okName/description match the actual functionality: the scripts generate dispute/complaint letter templates (consumer, credit, contract, landlord). The files that are present are proportional to a template generator and do not require network access or external credentials.
- Instruction Scope
- noteSKILL.md instructs running the included CLI and references commands; the shipped scripts implement consumer, credit, contract, and landlord templates and a separate utility script. SKILL.md also lists additional commands (employer, insurance, bank, template) that are not implemented in the provided scripts — this mismatch is sloppy but not evidence of malicious behavior. The Python template prints example placeholders (including an SSN-last-4 placeholder) but does not attempt to read or transmit any sensitive data.
- Install Mechanism
- okNo install spec is provided (instruction-only style) and included scripts are plain shell/Python files. Nothing is downloaded from external URLs or extracted during install — low risk.
- Credentials
- okThe skill requests no environment variables or credentials. It optionally respects DISPUTE_LETTER_DIR / XDG_DATA_HOME / HOME to choose a data directory, which is appropriate for a tool that stores local data.
- Persistence & Privilege
- okalways is false and the skill does not request elevated privileges. It creates and writes files under a user-scoped data directory (~/.local/share/dispute-letter by default), which is reasonable for storing templates/history but means generated content and any added entries will be stored on disk.