Skillv1.0.0

ClawScan security

Deep Ads Analyst · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 6:00 AM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: An instruction-only marketing analysis skill that is internally coherent for synthesizing evidence supplied by the user, but it does not include any mechanism to pull platform data despite claiming cross‑platform evidence.
Guidance: This skill is an instruction-only analyst template and appears coherent for synthesizing and evaluating ad evidence you supply. Two practical points before installing or using it: (1) it does not include any code or API connectors — it will not itself fetch account data from Meta, Google Ads, TikTok, etc. If you want automatic cross‑platform pulls you need a separate connector that provides the data or to supply exports to the agent. (2) Because the skill asks users to provide evidence (campaign exports, internal tests, competitor examples), avoid pasting credentials or sensitive tokens into analysis prompts; supply only sanitized data or use secure connectors. If you need the skill to query platforms directly, ask the publisher how they intend to obtain credentials and why none are declared.

Review Dimensions

Purpose & Capability: noteThe name, description, and SKILL.md all describe deep, cross‑platform ad analysis and evidence mapping — which matches the workflow and outputs in the instructions. However, the skill claims to use evidence from specific platforms (Meta, Google Ads, TikTok, YouTube, Amazon, DSP) but requests no credentials, has no install, and provides no fetch instructions. That means it expects the user (or agent runtime) to supply platform data rather than pull it automatically; this gap may confuse users who expect automatic cross‑platform collection.
Instruction Scope: okSKILL.md contains step‑by‑step workflow, input/output contracts, decision rules, examples and YAML snippets. It does not instruct the agent to read files, access unrelated system state, call external endpoints, or exfiltrate data. Instructions are scoped to analysis and synthesis of evidence provided by the user.
Install Mechanism: okNo install spec and no code files — instruction‑only skill. This minimizes installation risk because nothing is written to disk or fetched at install time.
Credentials: noteThe skill declares no required environment variables or credentials, which is safe but potentially inconsistent with the description that implies cross‑platform evidence collection. If a user expects the skill to query ad platforms, credentials would be required; the absence of such requirements should be communicated to users so they know they must supply platform data or authorize separate tools.
Persistence & Privilege: okalways is false and there are no install steps that write persistent configuration. The skill does not request permanent presence or attempt to modify other skills or system settings.