Back to skill
Skillv5.0.0
ClawScan security
Inventory Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 23, 2026, 12:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an offline reference/cheatsheet for inventory management and its files and runtime instructions are consistent with that purpose — it does not request credentials, make network calls, or install software.
- Guidance
- This skill appears to only provide offline reference text and does not request credentials, make network calls, or perform installs. Before installing: (1) Confirm your agent runtime will not execute arbitrary code from skills without your approval — the included script is benign but is executable shell code. (2) If you want absolute assurance, open and review scripts/script.sh yourself (it's only heredoc output). (3) If you run the skill in an environment with strict policies, prefer skills that are instruction-only with no executable files. Otherwise this skill is coherent and low-risk for typical use.
Review Dimensions
- Purpose & Capability
- okThe name/description match the provided SKILL.md and scripts: static reference material about SKU systems, valuation, barcodes, ABC/EOQ, and migration. It does not request unrelated credentials, binaries, or config paths.
- Instruction Scope
- okSKILL.md explicitly states no external API calls or credentials and the commands produce plain-text heredoc reference output. The shipped script (scripts/script.sh) only emits static documentation via heredocs; it does not read arbitrary files, access env vars, or contact external endpoints.
- Install Mechanism
- okThere is no install spec (instruction-only). The included shell script is static content and not an installation payload — no downloads, package installs, or archive extraction are performed.
- Credentials
- okThe skill declares no required environment variables or primary credential. Neither SKILL.md nor scripts reference secrets or require configuration, so requested access is proportionate to the stated purpose.
- Persistence & Privilege
- notealways is false (normal). The skill is user-invocable and model-invocation is permitted (platform default). This is expected for a reference skill, but as with any skill that can be invoked autonomously you should be comfortable with the agent executing its logic — here that logic is harmless static output.