Back to skill
Skillv1.1.2
ClawScan security
H1B Sponsor Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 2:13 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill appears to do what it says (H1B sponsor lookups) and requests no extra permissions, credentials, or risky installs.
- Guidance
- This skill appears coherent and low-risk: it only describes lookups against h1bfinder.com and asks for no credentials. Before installing, you may want to (1) verify the homepage/repository to ensure you trust the data source and its privacy policy, (2) remember results are informational (not legal advice) and should be independently verified for visa decisions, and (3) check the site’s terms or any API usage limits if you will rely on it heavily. Also note the small version number mismatch in metadata (harmless but worth checking if you want the latest fixes).
Review Dimensions
- Purpose & Capability
- noteThe skill name/description and runtime instructions align: it queries historical H1B disclosure data via h1bfinder.com. It declares the h1bfinder.com API as its data source and does not request unrelated binaries, env vars, or config paths. Minor inconsistency: SKILL.md and registry metadata show slightly different version numbers (1.1.1 vs 1.1.2), which is likely benign but worth noting.
- Instruction Scope
- okSKILL.md provides focused instructions for sponsor lookup and result formatting. It does not instruct the agent to read local files, shell history, unrelated environment variables, or to send data to third-party endpoints other than the declared h1bfinder.com source. The guidance contains appropriate caveats (not legal advice).
- Install Mechanism
- okThere is no install spec or shipped code to execute; the skill is instruction-only. README suggests using 'npx clawhub install' which is normal user guidance and not an embedded arbitrary download. No extract/download URLs or suspicious installers are present.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. That matches the described functionality (read-only lookups against a public site). No excessive secrets or unrelated credentials are requested.
- Persistence & Privilege
- okThe skill is not marked always:true and uses default autonomous invocation settings. It does not request persistent system-wide changes or access to other skills' configs. This is proportionate for an optional lookup skill.