Back to skill
Skillv1.0.0
ClawScan security
Surety · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 2:30 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only, informational guide about surety bonds and its declared requirements and behavior align with that purpose.
- Guidance
- This skill appears to be a straight informational guide about surety bonds and is internally consistent. Before installing, note that: (1) it is educational content, not legal or underwriting advice — consult a licensed attorney or surety underwriter for decisions; (2) it requests no credentials or system access, so it won't exfiltrate secrets, but avoid pasting confidential documents into any third-party agent without reviewing privacy policies; (3) verify that the information is current and jurisdiction-appropriate if you rely on it for regulated matters; and (4) if you need transactional functionality (e.g., creating bond applications, connecting to underwriter APIs), expect a different skill that would legitimately require credentials and review that one more carefully.
Review Dimensions
- Purpose & Capability
- okThe name and description promise educational coverage of surety bonds and the only artefact (SKILL.md) is exactly that educational content. The skill declares no binaries, env vars, installs, or external integrations — nothing unusual is requested for an informational skill.
- Instruction Scope
- okSKILL.md contains explanatory text about surety bonds and does not instruct the agent to run shell commands, read files, access environment variables, or send data to external endpoints. The instructions stay within an educational scope and do not request unrelated system access.
- Install Mechanism
- okThere is no install spec and no code files. As an instruction-only skill it writes nothing to disk and relies on the agent's normal runtime, which is the lowest-risk installation mode.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. There are no requests for secrets or unrelated service credentials, which is proportionate for an informational skill.
- Persistence & Privilege
- okalways is false (no forced inclusion) and the skill does not request any special persistent privileges or modifications to other skills or system-wide settings. Normal autonomous invocation is allowed but presents no additional flagged risk here.