Back to skill
Skillv1.0.0
ClawScan security
Pans Poc Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 5:40 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a self-contained, local CLI POC tracker whose requested files, instructions, and behavior are consistent with its description and it does not request credentials or perform network activity.
- Guidance
- This script appears to be a simple, local POC tracker. Before installing, review the Python file yourself to confirm there are no network calls (requests/sockets) or subprocess executions in the truncated portion. Be aware that customer data is stored unencrypted in ~/.qclaw/skills/pans-poc-tracker/data/pocs.json — if that contains sensitive information, consider encrypting the file or restricting filesystem permissions. If you need remote/team sync, implement an explicit, reviewed integration rather than modifying this local script.
Review Dimensions
- Purpose & Capability
- okName/description (POC tracking for AI compute sales) match the included CLI and Python implementation: creating, listing, updating, staging, recording blockers/feedback, reporting and reminders. No unrelated capabilities (cloud, email, or external integrations) are requested.
- Instruction Scope
- okSKILL.md instructs the agent/user to run local python CLI commands and documents the local storage path (~/.qclaw/skills/pans-poc-tracker/data/pocs.json). The instructions do not ask the agent to read other system files, environment variables, or send data externally.
- Install Mechanism
- okThere is no install spec — the skill is instruction-only plus a single Python script. Nothing is downloaded or installed automatically; runtime is local Python execution.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths beyond writing to a subdirectory in the user's home. That is proportionate to a local CLI data-tracking tool.
- Persistence & Privilege
- okalways is false and the skill does not request persistent platform-wide privileges. It stores data only under the user's home ~/.qclaw path and does not modify other skills or global agent configuration.