Back to skill
Skillv1.0.0
ClawScan security
Pans Upsell Radar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 2:40 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and data are consistent with an on‑premises upsell scanning tool that reads/writes local JSON files and does not request external credentials or network access.
- Guidance
- This skill appears coherent and local: it reads/writes JSON customer and signal files and produces reports. Before installing, review the customer JSON to ensure you are comfortable storing customer data under ~/.qclaw/skills/pans-upsell-radar/data. There are no network calls or credential requests in the provided code, but if you plan to run it in a multi-user or production environment, run it in a sandbox first and inspect the full upsell.py to confirm there are no later additions that perform network I/O. If you need to integrate with live telemetry, be deliberate about what external data sources and credentials you add.
Review Dimensions
- Purpose & Capability
- okName/description (upsell radar for GPU capacity) align with the included files: a Python script plus customer and signal JSON data. There are no unexpected credentials, binaries, or external services required.
- Instruction Scope
- noteSKILL.md instructs running the local Python CLI and references local data files under ~/.qclaw/... The runtime instructions and script operate only on those local JSON files. Note: the skill stores customer, signal, and opportunities data under the user's home (~/.qclaw/skills/pans-upsell-radar/data), so it will create/modify local files containing customer and signal information.
- Install Mechanism
- okNo install spec is provided (instruction-only with an included script), so no external packages or downloads are performed by the skill itself. This is low-risk from an install perspective.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths beyond creating/using its own data directory. No secrets are requested or referenced.
- Persistence & Privilege
- okalways is false and the skill does not modify global agent configuration. It persists data only under ~/.qclaw/skills/pans-upsell-radar/data (its own directory), which is appropriate for its stated purpose.