Skillv1.0.1

ClawScan security

Growth Strategy Hub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 5:54 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only decision framework whose stated purpose, inputs, and outputs are internally consistent and do not request extraneous credentials or installs.
Guidance: This skill is an instruction-only decision framework and appears coherent with its stated purpose. Important considerations before installing or enabling it for autonomous use: (1) it expects market_signal_inputs but does not fetch platform data itself — if you plan to grant the agent credentials or connectors to Google/Meta/TikTok, treat those credentials as sensitive and limit scope (read-only, scoped access) and require human approval for execution; (2) for high-stakes capital-allocation recommendations, require human sign-off and audit logs as the SKILL.md recommends; (3) verify the provenance and freshness of any market signals you feed into the skill, and test the decision rules on non-production data first. If you want the skill to pull data from ad platforms, expect to add explicit, scoped credential handling and review that integration separately.

Purpose & Capability: okName/description match the SKILL.md content: an enterprise-level capital allocation decision system. Required inputs (enterprise targets, capital pool, market signals, governance rules) are appropriate and proportional to the stated purpose.
Instruction Scope: noteSKILL.md contains workflow, input/output contracts, decision rules, examples, and guardrails but does not instruct the agent to fetch platform data, read unrelated files, or access credentials. It assumes market_signal_inputs are supplied; it is ambiguous about who/what supplies those signals (user, data pipeline, or agent). If the agent is later given credentials or external fetch capability, actual behavior will depend on how it's integrated.
Install Mechanism: okNo install spec and no code files — instruction-only. Nothing will be written to disk or installed by the skill itself.
Credentials: okNo required environment variables, no credentials, and no config paths are declared. The inputs are data-oriented rather than credential-oriented, which is proportionate for a decision system that consumes supplied signals.
Persistence & Privilege: okalways is false and the skill does not request persistent presence or modification of other skills or system settings. Normal autonomous invocation is allowed (platform default).