Skillv1.0.0

ClawScan security

Pans Deal Coach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 4:40 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requirements are coherent with a local command‑line 'deal coach' that generates objection responses; it does not request credentials or install software, but you should review the remainder of the script for any unexpected network activity before trusting it with sensitive customer text.
Guidance: This skill appears internally consistent and implements a local CLI coach using the bundled Python script. Before installing or running it on sensitive systems, do a quick check of the remainder of scripts/coach.py (the snippet provided is truncated) to confirm it does not perform network calls, log or exfiltrate input, or call external APIs. If you plan to paste customer data into the tool, consider running it in an isolated environment or sanitizing data first. Also prefer skills with a clear source/homepage or author provenance for production use.

Purpose & Capability: okName/description describe a sales objection coaching tool and both SKILL.md and scripts/coach.py implement that functionality (scenario library, templates, CLI). No unrelated credentials, binaries, or install steps are declared.
Instruction Scope: okSKILL.md instructs running the provided Python script with command-line arguments and shows output modes (including JSON). The instructions stay within the stated purpose (identify objection, produce scripts/strategy). They do not instruct reading arbitrary system files or sending data to third parties.
Install Mechanism: okNo install spec is present (instruction-only use plus an included script). There are no downloaded artifacts or external installers that would write code to disk at install time.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md examples and the visible portion of scripts/coach.py use only standard Python libraries and local data structures, which is proportional to its purpose.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent or elevated platform privileges in metadata or instructions.