Skillv1.0.0

ClawScan security

Language · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 1:59 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested resources and instructions match its language-teaching purpose and it is instruction-only with no installs or credentials, but the SKILL.md is vague about how progress/personal data are stored which should be clarified before use.
Guidance: This skill appears to do what it says and does not request credentials or install code, but it will ask for personal details (name, location, interests, examples of mistakes) to personalize lessons and claims to track progress. Before installing or enabling it for autonomous use, ask the publisher: (1) how and where progress/personal data are stored (agent memory, local files, remote service), (2) whether any external APIs or third-party storage are used and what credentials would be required, and (3) how long data is retained and how it can be deleted. Until you have answers, avoid submitting highly sensitive personal information and consider using it in an ephemeral session or sandboxed agent instance.

Purpose & Capability: okName and description (personalized plans, vocabulary in context, writing correction, mock conversations, progress tracking) align with the SKILL.md content. No unexpected binaries, credentials, or config paths are requested.
Instruction Scope: noteThe instructions describe collecting personal context (name, city, interests, conversation scenarios) and 'tracking patterns' and progress. The SKILL.md does not instruct reading unrelated system files or environment variables, but it is vague about where and how progress/personal data will be stored and protected; this is a privacy/implementation detail to clarify.
Install Mechanism: okNo install spec and no code files are present (instruction-only). This is the lowest-risk install pattern and matches the skill's described behavior.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The personal data it asks the user to provide (interests, name, scenarios) is reasonable for the stated personalization, but the SKILL.md does not specify retention or external services.
Persistence & Privilege: noteThe skill claims to 'track your progress' and 'adjust' plans over time, which implies state persistence. However, there is no install or declaration of storage mechanisms, memory usage, or external services. Clarify whether the agent will persist data in agent memory, local storage, or external services, and what access/permissions are required.