Back to skill
Skillv2.0.1
ClawScan security
Privacy Policy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:50 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Files and runtime instructions are coherent with a privacy-policy generator and light compliance/audit helper; nothing appears to exfiltrate secrets or require unrelated credentials, but the package writes logs to a user data directory so inspect before running in sensitive environments.
- Guidance
- This skill appears to do what it claims: generate privacy policies and provide simple compliance/audit helpers. Before installing or running: (1) review the two shipped scripts yourself (they are small and readable); (2) note that the utility will create/write files under a data directory (default ~/.local/share/privacy-policy) — if you prefer, set PRIVACY_POLICY_DIR to a sandboxed location; (3) run the scripts as a non-root user; (4) remember generated policies are for reference only (the bundled disclaimer already says consult a lawyer). If you need stronger assurance, ask the publisher for a public repo/release or run the scripts in an isolated environment first.
Review Dimensions
- Purpose & Capability
- okThe skill is advertised as a privacy policy generator (GDPR/CCPA, app/website, audit). The included scripts implement policy generation (scripts/privacy.sh) and a small compliance/security checklist/logger tool (scripts/script.sh). Both map reasonably to 'privacy policy' and 'compliance/audit' functionality; there are no unrelated credentials or binaries requested.
- Instruction Scope
- okSKILL.md describes only generate/gdpr/ccpa/app/website/audit actions. The scripts perform text generation and simple auditing/logging actions; they do not instruct the agent to read arbitrary system files, call external endpoints, or send data off-host. The audit/scan script is a lightweight local logger, so scope stays within compliance/utility tasks.
- Install Mechanism
- okThere is no install spec (instruction-only skill). Provided scripts are shipped with the skill; no external downloads or package installs are invoked, lowering supply-chain risk.
- Credentials
- noteNo required env vars or credentials are declared. The scripts optionally read PRIVACY_POLICY_DIR, XDG_DATA_HOME, and $HOME to determine a data directory and will write logs there (default ~/.local/share/privacy-policy). This is reasonable for a CLI utility but is persistent local state—users should be aware files will be created in their home directory.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated platform privileges. It only writes to its own data directory (or configured PRIVACY_POLICY_DIR) and does not modify other skills or global agent settings.