Back to skill
Skillv1.0.0
ClawScan security
Media Buyer Helper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 7:08 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only media-buying helper whose declared inputs and procedures line up with its stated purpose and it does not request extra credentials, installs, or system access.
- Guidance
- This skill appears coherent and instruction-only, but the inputs it asks for (account snapshots, performance series, bidding configs) can contain sensitive ad-account details. Before using it: (1) do not paste account credentials, tokens, or raw access keys — provide redacted or aggregated metrics instead; (2) limit shared data to the minimum required (summaries, anonymized IDs); (3) confirm you trust the agent/runtime that will receive this data; and (4) if you need the skill to act on live accounts, prefer granting scoped API tokens with least privilege rather than full credentials.
Review Dimensions
- Purpose & Capability
- okName/description (media buying support across ad platforms) matches the SKILL.md content: account health, bidding, A/B test design, monitoring. There are no unrelated requirements (no cloud credentials, binaries, or config paths).
- Instruction Scope
- okThe SKILL.md contains only domain-appropriate instructions (how to evaluate snapshots, build tests, set anomaly thresholds). It does not instruct the agent to read system files, environment variables, or send data to unexpected external endpoints. Note: the declared inputs (account_structure_snapshot, recent_performance_series, etc.) are potentially sensitive ad-account data — the skill expects those data objects but does not request credentials.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). This minimizes risk because nothing is downloaded or written to the host.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. That is proportionate for an advisory/analysis skill. As above, the user-provided inputs may contain sensitive campaign data but the skill does not ask for unrelated secrets.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent agent-level privileges. It does not modify other skills or system configs based on the provided materials.