Back to skill
Skillv1.0.0
ClawScan security
vendor-onboarding-workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 10:21 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only vendor onboarding playbook whose requirements and instructions align with its stated purpose and it does not request additional installs, credentials, or system access.
- Guidance
- This is a self-contained playbook; it appears coherent and appropriate for vendor onboarding. Before installing or adopting it: (1) review the included templates (e.g., email/form templates) to ensure they don't accidentally request unnecessary PII; (2) decide where collected documents will be stored and who can access them (secure storage and access controls are important for W-9s, COIs, etc.); (3) if you follow references to other skills (e.g., the 'COI skill') verify those skills separately for any credential or install requirements; and (4) test the workflow on a sample vendor to confirm gates, notifications, and escalation behavior meet your organization's policies.
Review Dimensions
- Purpose & Capability
- okName and description (vendor onboarding workflow) match the SKILL.md content: a 5-gate onboarding process with checklists, templates, and timelines. The guidance references common form tools (Typeform, JotForm, Google Forms) and other internal templates which are appropriate for this purpose.
- Instruction Scope
- okSKILL.md provides step-by-step operational instructions, checklists, and communication templates. It does not instruct reading arbitrary system files, accessing environment variables, or exfiltrating data to unexpected endpoints. It does refer to an external 'COI skill' and to using form services — integrations that are reasonable but external.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only. Nothing will be downloaded or written to disk by an installer.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There are no disproportionate or unrelated secret requests.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent system presence or modification of other skills/configs.