v1.0.2

ICP Modeler

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:31 AM.

Analysis

This appears to be a purpose-aligned marketing profile generator with an optional Anthropic-powered content feature, but users should notice the API-key use and a minor packaging/provenance inconsistency.

GuidanceThis skill looks safe to install for its advertised purpose. If you use the premium content-generation option, expect it to use your Anthropic API key and send the content request/ICP context to Claude; avoid including private customer data unless that is acceptable for your workflow.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceMediumStatusNote

icp_modeler.py

LLM backend: uses generate.py (local MLX → Haiku fallback)

The source comments reference a generate.py backend, but the supplied manifest only lists SKILL.md, icp_modeler.py, and qa-skill.md. This looks like a packaging or documentation inconsistency rather than malicious behavior.

User impactThe premium LLM path may not behave exactly as documented if a referenced helper is missing or stale.

RecommendationBefore relying on premium generation, verify the installed package includes the expected LLM path and that it only uses the declared Anthropic dependency/API key.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

**Premium tier (ANTHROPIC_API_KEY):**\n- `--generate-content "3 facebook posts"` — LLM writes content specifically tuned to the ICP's triggers

The skill uses the user's Anthropic API key for optional LLM content generation. This is disclosed and aligned with the feature, but it is still a credentialed third-party service call.

User impactUsing the premium feature may send the content request and relevant ICP context to Anthropic and may create API charges on the user's account.

RecommendationUse an Anthropic key with normal billing limits, avoid entering sensitive client data unless appropriate for Anthropic processing, and reserve the key for this intended content-generation use.