Back to skill
Skillv2.1.0
ClawScan security
AI C-Suite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 6:19 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required inputs are consistent with its stated offline, stdlib-only debate/decision purpose and do not request credentials or external network access.
- Guidance
- This skill appears to do what it says: an offline, template-driven debate generator using only Python stdlib. Before running: (1) inspect or edit config/company.yaml so it contains no secrets (it should only have public company metadata); (2) run scripts/security_scan.py from the skill directory and confirm it prints PASS; (3) run the commands while your current working directory is the skill folder so logs and outputs stay inside the skill tree (the code uses Path.cwd()); (4) if you must run it from a different cwd, be aware logs may be created there; and (5) if you need stronger isolation, run the scripts in a disposable container or VM. If you want me to, I can point out the exact lines to change to force logs and file reads to the skill folder (small one-line edits).
Review Dimensions
- Purpose & Capability
- okName/description (stage-aware C-suite debate) align with the included Python scripts: prepare_session, run_debate, validate_output, and security_scan. No unrelated binaries, credentials, or external services are requested.
- Instruction Scope
- noteRuntime instructions stick to local files and the debate workflow and explicitly call the included scripts. Minor caveat: run_debate/prepare_session/defaults operate relative to the current working directory (e.g., ensure_logs(Path.cwd())), so if you run the scripts from outside the skill folder they may create logs or read files in another location — this slightly contradicts the SKILL.md claim that reads/writes are scoped to the skill directory.
- Install Mechanism
- okNo install spec; instruction-only skill with bundled Python stdlib scripts. Nothing is downloaded or executed from external URLs.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The inputs are a local company YAML file and CLI arguments as documented.
- Persistence & Privilege
- okSkill is not always-enabled, does not request elevated privileges, and does not modify other skills or system-wide agent settings. It writes output files (logs/*.md) using the working directory.