Skillv1.2.0

ClawScan security

Geo Audit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 5, 2026, 5:47 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's claims and runtime instructions are internally consistent: it's an instruction-only GEO audit that fetches public site pages, runs four parallel analysis subagents (provided in the package), and produces a scored report — it does not request secrets, install code, or require unrelated capabilities.
Guidance: This skill is an instruction-only GEO auditor that will make outbound HTTP(S) requests to the target site and public third-party endpoints (Wikipedia, LinkedIn, Reddit, YouTube, Crunchbase, etc.), run internal subagent analyses (the .md `references/agents/*` files), and produce a scored report (the evals expect a markdown report file). Before installing: ensure you are comfortable with the agent runtime having network access and permission to write reports to disk; avoid providing private or intranet URLs unless you trust the runtime environment; confirm the runtime respects robots.txt/rate limits (the skill instructs it to, but enforcement depends on the agent). The SKILL.md already includes explicit untrusted-content handling and prompt-injection detection (it will flag but not follow injected instructions). If you need higher assurance, run the skill on a non-sensitive public site first and inspect generated reports and logs. Finally, note there are no secret/credential requests and no installable binaries, which reduces risk.
Findings: [prompt-injection:ignore-previous-instructions] expected: The SKILL.md contains the string pattern as an example of prompt-injection text and explicitly instructs agents to treat such strings as untrusted input and to report them. The scanner flagged the pattern, which is appropriate and handled by the skill's instructions.

Review Dimensions

Purpose & Capability: okThe skill name/description (GEO audit) align with the required artifacts: it reads local agent instruction files, fetches target site pages and third‑party public resources (Wikipedia, LinkedIn, Reddit, etc.), and scores technical/content/schema/brand dimensions. It does not request unrelated credentials or binaries.
Instruction Scope: okSKILL.md instructs the agent to fetch homepage, robots.txt, sitemaps, up to 10 pages, and to spawn four subagents using the bundled reference .md files — all actions are coherent with an audit. It explicitly treats all fetched content as untrusted and instructs detection/reporting of prompt-injection attempts. Note: the skill will make outbound HTTP requests and may write a report file (evals expect disk output).
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is downloaded or executed on disk by the skill itself. This minimizes install-time risk.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. Its need for network access to public endpoints is proportional to the stated purpose. There are no requests for unrelated secrets or system credentials.
Persistence & Privilege: okalways is false and autonomy is the platform default. The skill does not request permanent presence, nor does it modify other skills or system-wide settings. It may produce files (reports) per its purpose — that is expected behavior.