Skillv1.0.0

ClawScan security

Non-Technical Agent Quickstart · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 10:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only guide that teaches non-technical founders how to build AI agents with third‑party services; its requests and instructions are consistent with that purpose and it does not request credentials or install code.
Guidance: This is an instruction-only quickstart that appears coherent and low-risk, but consider the following before using it: 1) The guide encourages copy-pasting content into third-party services (Claude.ai, Notion, etc.) — avoid pasting private credentials, PII, or sensitive business secrets until you understand the service's data retention and privacy policies. 2) When you do integrate tools long-term, prefer OAuth or official integrations rather than manual copy-paste to reduce accidental data exposure. 3) The skill advertises quick results (e.g., 'ready-to-send in 10 seconds') — treat outputs as drafts and review for accuracy and tone before sending. 4) This skill is paid content ($9) and links to or endorses external platforms; verify costs and terms on those platforms. Overall it is internally consistent, but the primary risk is user-driven data exposure to the third-party services the guide recommends.

Purpose & Capability: okThe name/description match the content: SKILL.md is a step‑by‑step, no‑code quickstart for building agents using third‑party platforms (Claude, OpenClaw, Notion, etc.). It does not ask for unrelated access, binaries, or credentials.
Instruction Scope: noteInstructions stay within the stated purpose (writing prompts, workflows, and connection suggestions). One user-privacy caveat: the guide recommends copy‑pasting content into third‑party services as a zero‑API option — this is functional for onboarding but can expose sensitive data to those services. The skill does not instruct the agent to read local files or environment variables.
Install Mechanism: okNo install spec and no code files (instruction-only). Nothing is written to disk or downloaded by the skill itself, which minimizes supply-chain risk.
Credentials: okThe skill declares no environment variables, credentials, or config paths. It recommends using third‑party platforms (which themselves may require credentials), but the skill does not request them directly.
Persistence & Privilege: okDefaults are used (not always:true). The skill is user-invocable and can be called by the agent, which is normal for skills; it does not request permanent system presence or attempt to modify other skills.