Back to skill
Skillv1.0.0
ClawScan security
Attribution Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 6:51 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only analytics helper whose declared inputs and behavior align with its stated purpose and it does not request credentials, install code, or access system resources.
- Guidance
- This skill is internally consistent and acts as a guideline/analysis template — it will not fetch platform data or use your accounts unless you explicitly provide credentials or connectors. Before using: (1) avoid pasting raw account credentials or PII into the input fields; (2) understand you must supply accurate channel metrics/offline data because the skill has no connectors; (3) treat recommendations as advisory and validate high-risk budget changes with experiments or incremental tests. If you need the skill to pull live data, expect it to require additional connectors and API keys—review those requests carefully before granting access.
Review Dimensions
- Purpose & Capability
- okName and description are analytics-focused and the SKILL.md only requires structured input data (channel_metrics_by_window, attribution_windows, etc.). There are no unrelated env vars, binaries, or config paths requested, so requested capabilities are proportionate to an attribution analysis helper.
- Instruction Scope
- okRuntime instructions stay within analytics scope: normalize definitions, compare windows, quantify deltas, and propose allocation/validation plans. The doc does not instruct reading system files, accessing unrelated environment variables, or transmitting data to third-party endpoints.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). Nothing will be written to disk or downloaded by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. This is consistent with an advisory/analysis skill that operates on user-supplied data rather than connecting to ad platform APIs.
- Persistence & Privilege
- okFlags show always:false and default autonomous invocation allowed (normal). The skill does not request persistent presence or system-level configuration changes.