Skillv1.0.0

ClawScan security

GwapScore Protocol · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 17, 2026, 12:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only, self-contained specification and template set for a trust‑scoring protocol — its files and runtime instructions align with the described purpose and request no special privileges or secrets.
Guidance: This bundle is documentation and templates for a trust‑scoring protocol and appears internally consistent. Before installing or relying on it in production: (1) verify the publisher/source and legal/regulatory suitability for your use case (source/homepage are not provided here), (2) if you build a runtime implementation from these specs, ensure partner webhooks and events are authenticated and idempotent as the docs recommend, (3) plan secure handling for any eventual API keys or credentials (not requested by this skill but required in real integrations), (4) test scoring and manual‑review flows with safe sample data, and (5) do not assume this documentation equals a vetted implementation — review any code you or partners write that implements these rules.

Purpose & Capability: okThe name/description (GwapScore trust scoring) matches the included SKILL.md, reference docs, templates, and example payloads. All required artifacts are documentation and examples for scoring, partner integration, review, and audit — nothing requested is unrelated to operating a scoring protocol.
Instruction Scope: okRuntime instructions are deterministic and limited to ingesting events, mapping to canonical attestations, scoring, explaining results, and triggering review. The SKILL.md only references local repository files included in the bundle and does not instruct reading arbitrary system files, calling unknown external endpoints, or exfiltrating data.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only, which is the lowest-risk install posture (nothing is written to disk or fetched during install).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is proportionate for a documentation/specification skill. Note: a real deployment of this protocol would legitimately require partner API keys and infrastructure, but those are not requested here.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent agent-wide changes. It is a passive, instruction-only guidance pack and does not attempt to modify other skills or global agent settings.