Skillv1.0.0

ClawScan security

Salary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 12:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent with its stated purpose and it does not request system access, credentials, or install code.
Guidance: This skill appears coherent and low-risk because it is instruction-only and asks for no system credentials. Before installing or using it, be prepared to share personal compensation details (role, years experience, current/target salary) — avoid sharing sensitive identifiers (SSN, bank account numbers, employer-confidential documents). Ask or check how the agent will gather market data (which websites or APIs) and avoid granting any connectors or credentials you wouldn't trust. If the skill later asks for API keys, files, or broad system access, treat that as a red flag and revoke access.

Review Dimensions

Purpose & Capability: okThe name and description match the SKILL.md content: it helps research market rates, craft negotiation language, and evaluate compensation components. The skill declares no binaries, env vars, or config paths and none are required by the prose, so there are no unrelated privileges requested.
Instruction Scope: noteThe SKILL.md is high-level prose describing what the agent should do (gather market data, build scripts, convert components to dollar values). It does not instruct the agent to read local files, environment variables, or send data to any third-party endpoints, which is good. However, the skill implicitly requires external market research (web or API queries); the SKILL.md does not specify which data sources or APIs to use, so the exact runtime behavior depends on the host agent and its connectors.
Install Mechanism: okNo install spec and no code files (instruction-only). This is the lowest-risk install model: nothing is written to disk by the skill itself.
Credentials: okThe skill requests no environment variables, credentials, or config paths. It will ask users for personal details like role, experience, location, and compensation history — which is expected and proportional to the purpose. Users should avoid sharing sensitive identifiers (SSNs, bank details, employer secrets).
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent presence or modify other skills/configs. Autonomous invocation by the agent is allowed by default but is not a unique privilege of this skill and is not combined with other concerning access.