Risk Assessment
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent risk-assessment prompt with no evidenced hidden mutation or persistence, but it can read user-provided security documents and the example code sends assessment context to an external AI provider if run.
This appears safe to install as an instruction-only risk-assessment skill. Before use, decide which files and URLs the agent may inspect, use only trusted framework appendices, and avoid sending secrets or highly sensitive internal details to the example API workflow unless your organization permits that processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may review sensitive security, policy, or asset documents as part of the assessment.
The skill can inspect local/user-provided files and fetch web content. This fits a risk-assessment workflow, but users should scope which documents and URLs are used.
allowed-tools: "Read, Glob, Grep, WebFetch"
Provide only the files and web references intended for the assessment, and avoid including unnecessary secrets or unrelated private documents.
If an untrusted framework appendix is used, it could change how the model performs the assessment or formats results.
The example appends a framework file directly into the system prompt. This is purpose-aligned for compliance mapping, but untrusted framework text could influence the agent's instructions.
skill_text += "\n\n" + framework_text
Use framework appendices from trusted sources and review them for prompt-like instructions before appending them.
Sensitive descriptions of systems, vulnerabilities, or regulated data environments may be transmitted to an external AI provider if the example script is used.
Running the example sends the provided assessment context to Anthropic's API. This is expected for the example, but the context may include sensitive internal security details.
message = client.messages.create(... "content": f"Perform a comprehensive risk assessment based on the following context:\n\n{context}")Confirm external AI processing is allowed for the data being assessed, and redact secrets or unnecessary sensitive details before running the example.