Skillv1.0.0

ClawScan security

Biz Doc Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 6:47 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (generating proposals, invoices, and contracts) and does not request additional credentials, installs, or network endpoints.
Guidance: This skill appears to be a straightforward local document generator. Before installing or enabling it: (1) confirm whether your agent will be allowed to read/write ~/biz-docs/ and whether that location is acceptable for storing client-sensitive information; (2) review generated invoice/contract templates and tax calculations for legal and accounting correctness before sending to clients; (3) test in a safe environment (no real client data) to confirm behavior; (4) if you need networked features (emailing invoices, signing contracts), verify what additional integrations or permissions would be requested — none are present now. If you want extra assurance, ask the author for explicit file I/O commands or a privacy note describing how client data is stored and deleted.

Review Dimensions

Purpose & Capability: okName/description match the SKILL.md: the skill is a document-generation helper for proposals, invoices, and contracts. It requests no binaries, env vars, or external services and includes only a small harmless test script, so the declared capabilities align with its required footprint.
Instruction Scope: noteSKILL.md defines a workspace layout under ~/biz-docs/ and describes inheriting client data between documents (proposals → invoices/contracts). The instructions are high-level and do not include commands that read arbitrary system files or call external endpoints, but they implicitly require read/write access to the user's home directory (~/biz-docs/) to store client profiles, histories, proposals, invoices, and contracts. Consider whether you are comfortable granting the agent filesystem access and storing sensitive client data there.
Install Mechanism: okNo install spec; instruction-only reduces risk. The included scripts/test.sh is a simple echo-based test harness and does not perform downloads, extracts, or execute remote code.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. That is proportionate for a local document/template generator.
Persistence & Privilege: okalways is false and the skill does not request permanent global presence or modify other skills. Autonomous invocation is allowed by default (platform behavior) but the skill itself does not escalate privileges or persist beyond its own workspace.