Back to skill
Skillv1.0.0
ClawScan security
Pans Discovery Playbook · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 2:38 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is a sales discovery playbook and the included instructions and code are consistent with that purpose; it does not request credentials or install external components, but review the full script before running to be safe.
- Guidance
- This skill appears coherent and low-risk: it runs a local Python script to produce interview guides and does not declare credentials or external installs. Before installing or running, review the full scripts/discovery.py (the prompt shows a truncated excerpt) to confirm there are no network calls, subprocess.exec usage, or hidden file writes. Run the script in a sandbox or isolated environment if you plan to feed it sensitive customer data, and avoid passing secrets or private files into the tool unless you’ve inspected the code's I/O behavior.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior: an offline playbook generator for discovery calls. Required resources are minimal (a local Python script) and there are no unrelated environment variables, binaries, or config paths requested.
- Instruction Scope
- okSKILL.md instructs running the included Python script to generate Markdown/JSON playbooks for specified scenarios and industries; it does not request reading unrelated system files or contacting external endpoints in the visible instructions.
- Install Mechanism
- okNo install spec is provided (instruction-only plus a local script). There is no download-from-URL or package install step that would introduce arbitrary third-party code.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The content and sample CLI usage are consistent with a self-contained local generator.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request elevated platform privileges. It appears to run on-demand and does not attempt to modify other skills or global agent settings.