Back to skill
Skillv0.1.0
ClawScan security
Geo Metrics Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 6:45 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, files, and instructions are consistent with its stated purpose of designing GEO metrics catalogs, schemas, dashboards, and alerting — it does not request unexpected credentials or installs and the included code only generates markdown scaffolding.
- Guidance
- This skill appears to be a design/orchestration helper (templates, schemas, alert examples) and includes one harmless script that emits markdown. It does not itself collect or transmit data or request credentials — however, many of its recommended implementations (sampling AI answers or calling platform APIs) will require separate API keys and data access. Before wiring it into your environment: only grant credentials to concrete implementation code you review, give those credentials least privilege, and avoid connecting it directly to production logs or secrets without an engineering review. If you want the agent to perform live data collection, expect additional credentials and re-evaluate then.
Review Dimensions
- Purpose & Capability
- okName/description match what the skill actually contains: design templates, schemas, dashboards, and runbooks. No unrelated environment variables, binaries, or install steps are requested.
- Instruction Scope
- noteSKILL.md stays within design/specification scope (catalogs, storage schemas, alert rules, dashboards). It includes example pseudocode that mentions fetching answers from platforms (which may require separate API access), but the skill explicitly says it does not itself pull third-party data.
- Install Mechanism
- okNo install spec; instruction-only plus a small utility script. Nothing is downloaded from external URLs and no archives are extracted.
- Credentials
- okThe skill requests no environment variables or credentials. It may recommend using platform APIs in implementation notes, but it does not ask for or embed any secrets.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request permanent system presence or attempt to modify other skills or system-wide configuration.