Skillv1.0.0

ClawScan security

Contract Renewal & Expiration Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 10:22 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only contract renewal playbook that is internally consistent with its stated purpose, but it assumes integration with calendars, file storage, and alerting mechanisms without declaring how those integrations/credentials will be handled.
Guidance: This is a coherent, instruction-only playbook for managing contract renewals and appears safe from an internal-consistency perspective. Before installing or enabling the skill: (1) confirm which calendar, email, or storage connectors the agent will use to implement automated alerts and document storage; only grant the minimal scopes (e.g., calendar event write only, limited Drive folder access) and prefer a dedicated service account or folder for contracts; (2) verify any automatic notification behavior — avoid giving broad send-email or admin access unless you intend the agent to act autonomously; (3) review integrations with other skills (the referenced 'Vendor Performance Audit' skill) to understand data flows; and (4) treat contract documents as sensitive — ensure storage/encryption and access controls are appropriate. If you want purely human-guidance behavior, keep the skill instruction-only and deny connectors that enable automatic outbound actions.

Review Dimensions

Purpose & Capability: okThe name, description, and SKILL.md all describe a human/agent-facing process for tracking and managing contract renewals. The required artifacts (renewal calendar, scoring, notices, templates) align with the stated purpose and there are no unrelated binaries, env vars, or install steps requested.
Instruction Scope: noteThe instructions are procedural and scoped to the renewal lifecycle. They reference automation steps (automated/calendar alerts, owner notifications) and another skill ('Vendor Performance Audit skill'), but do not specify which calendar/alert/email systems to use or how automation should be authorized. That omission means the skill assumes the agent has tools/permissions to perform those actions; the SKILL.md itself does not ask the user to provide or limit those permissions.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only, which minimizes disk-write and install risks.
Credentials: noteThe skill does not declare any environment variables or credentials, yet it instructs storing contracts in external services (Drive, Notion) and sending automated alerts/notifications. Performing those actions in practice requires access credentials; the documentation does not request or describe the minimal/proper credentials or scopes, which is an omission users should be aware of.
Persistence & Privilege: okThe skill does not request always-on presence and does not declare any capabilities that would modify other skills or global agent configuration. Autonomous invocation is allowed by platform default but nothing in the SKILL.md elevates its privilege beyond typical agent actions.