Back to skill
Skillv1.0.0
ClawScan security
China Electronic Components Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 9:34 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, data, and runtime instructions are consistent with its stated purpose (a static, local guide to China's electronic components industry) and do not request unexpected credentials, network access, or privileged installation.
- Guidance
- This skill appears coherent and self-contained: it exposes read-only functions that return data from the included data.json and does not request credentials or perform network activity. Before installing, consider: (1) verifying the data accuracy and currency if you'll rely on it for procurement decisions (the skill bundles static data, last_updated 2026-03-13), (2) reviewing included company/supplier names for any privacy or legal considerations in your jurisdiction, and (3) if you or your environment allow the skill to call external resources later (e.g., via agent policies), ensure network access is intentionally granted because the current package itself does not perform external calls.
Review Dimensions
- Purpose & Capability
- okThe name/description match the actual implementation: a local data-backed industry guide. The provided functions and data.json contents align with the stated capabilities (overviews, clusters, subsectors, sourcing guidance). There are no unrelated dependencies or credentials requested.
- Instruction Scope
- okSKILL.md limits behavior to serving industry intelligence and examples; it does not instruct reading system files, environment variables, or sending data to external endpoints. The implementation (run.py) reads only the included data.json and exposes safe query functions.
- Install Mechanism
- okNo install spec is present and no external downloads occur. This is an instruction-only skill with a bundled code file and data asset, so nothing is written or fetched at install time beyond the packaged files.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. All data access is local to data.json; there are no suspicious secret-like fields or requests for unrelated service tokens.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or global agent configuration. It runs as a normal user-invocable skill with no elevated persistence requirements.