Back to skill
Skillv1.3.1
ClawScan security
competitive-product-research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 8:33 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requested inputs, outputs, and included templates are consistent with a competitive product research report generator; it does not request credentials, installs, or external code execution.
- Guidance
- This skill appears coherent and low-risk because it contains only instructions, templates, and style rules and does not request credentials or install code. Before using, avoid uploading sensitive or proprietary documents (sanitize screenshots and remove PII), and confirm any public-source links you provide are appropriate to share. The SKILL.md forbids unauthorized scraping, but the agent's behavior depends on the environment/tools enabled (e.g., web search or scraping tools); ensure those tools/policies align with your data-handling rules. If you need stronger assurance, review the referenced GitHub URL in claw.json yourself and/or run the skill in a sandboxed agent instance.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, README and reference files all describe the same dual-track competitive research method and HTML output; there are no unrelated requirements (no env vars, no binaries, no config paths). The included report template and playbook are appropriate for the stated purpose.
- Instruction Scope
- okSKILL.md precisely defines inputs (research goal, competitors, optional screenshots/docs/links) and output requirements (traceable SRC IDs, actionable tasks, HTML template). It explicitly forbids unauthorized data collection. It does not instruct the agent to read system files, access unrelated environment variables, or send data to external endpoints beyond using provided evidence and public sources.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files to execute. That minimizes on-disk or network installation risk.
- Credentials
- okNo credentials, environment variables, or config paths are requested. The inputs it asks for (screenshots, docs, links) are proportional to a research/reporting task but may contain sensitive customer data if supplied by the user—see guidance.
- Persistence & Privilege
- okalways:false and no requests to modify other skills or system settings. The skill can be invoked by the agent (default), which is expected for instruction-only skills; there is no elevated persistence or config manipulation.