Skillv1.0.0

ClawScan security

Growth Autopilot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 6:50 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that consistently defines policy-generation and decision-rule outputs for ad autopilot behavior and does not request installations, credentials, or external endpoints — the pieces align with a strategy/blueprint generator rather than an automated account connector.
Guidance: This skill is a coherent policy/strategy authoring tool — it generates autopilot blueprints and decision rules but does not itself connect to ad platforms or ask for credentials. Before using it in production, ensure you: (1) do not hand the generated policies to an agent or integration that has unrestricted write access to your ad accounts without strict guardrails; (2) provision platform API credentials only to vetted connector components, with least privilege and rate/volume limits; (3) test generated policies in a sandbox or low-budget environment first; (4) enforce logging, auditable change history, and human-in-the-loop approvals for destructive actions (budget freezes, large bid changes); and (5) be aware that absence of code/scan findings only means there is nothing to analyze here — risk arises when you combine this skill with connectors or grant it credentialed access.

Purpose & Capability: okName, description, and SKILL.md consistently describe a policy/strategy generator for paid growth across ad platforms. The skill does not claim to perform platform API actions and does not require platform credentials, which is proportionate for a policy/blueprint-focused skill.
Instruction Scope: okRuntime instructions are limited to generating objectives, policies, decision rules, YAML examples, and pseudocode. They do not instruct reading system files, environment variables, or contacting external endpoints, nor do they grant the agent open-ended permission to gather arbitrary context.
Install Mechanism: okNo install spec and no code files are provided (instruction-only). Nothing is written to disk or fetched at install time, which is low-risk and consistent with the stated purpose.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is coherent for a policy generation skill; it also means actual integration with ad platforms would require separate connector components not provided by this skill.
Persistence & Privilege: okalways:false and default model invocation settings are used. The skill does not request persistent presence or system-wide configuration changes, and it does not attempt to modify other skills or agent settings.