Skillv1.0.0

ClawScan security

Drawdown · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 21, 2026, 12:19 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is a documentation/reference tool for drawdown analysis that only bundles a shell script to print guidance; its declared requirements are proportional to its purpose and nothing in the provided files appears to access secrets or external systems.
Guidance: This skill appears to be a local reference that prints drawdown analysis guidance and examples — nothing in the provided files indicates network calls, credential use, or reading unrelated files. Before installing: (1) review the entire scripts/script.sh to confirm there are no hidden network calls, file writes, or shell execs beyond printing text (the provided excerpt was truncated), (2) if you will run it in an environment with sensitive data, ensure it runs in a sandbox or with limited privileges, and (3) if you expect the skill to read/write data, confirm what DRAWDOWN_DIR will contain and where it will write. If you can provide the full script.sh file (no truncation), I can raise confidence to high after rechecking.

Review Dimensions

Purpose & Capability: okName/description (drawdown analysis reference) match the code and SKILL.md: the skill provides documentation and examples for drawdown metrics and points to running scripts/script.sh subcommands to show content. There are no unexpected credentials, binaries, or platform requirements.
Instruction Scope: okSKILL.md instructs the agent to run local commands (scripts/script.sh <command>) that correspond to the included script. The instructions only reference an optional DRAWDOWN_DIR config path and otherwise stay within the stated purpose (explanations, calculations, examples). There is no guidance to read arbitrary user files, search system state, or send data to external endpoints in the provided instructions.
Install Mechanism: okNo install spec is present (instruction-only + included script). Nothing is downloaded or extracted from external URLs and no package managers are invoked; risk from install mechanisms is minimal.
Credentials: okThe skill declares no required environment variables or credentials. SKILL.md documents a single optional DRAWDOWN_DIR for data storage, which is reasonable for a reference/example skill. The provided script content does not access environment secrets in the reviewed portion.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or system-wide configuration in the provided files, and uses standard, local script execution. Autonomous invocation is allowed by platform default but is not unusual for this type of skill.