Back to skill
Skillv1.0.0
ClawScan security
ceo-indotrading · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 20, 2026, 2:39 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only CEO assistant for IndoTrading whose requested capabilities, files, and runtime instructions are internally consistent with its stated purpose and do not ask for unrelated credentials or installs.
- Guidance
- This skill is an instruction-only CEO assistant and appears coherent with its purpose. Before enabling it in a production environment, ensure any connectors you later configure (ERP, Google Sheets, analytics APIs, or internal dashboards) follow least-privilege principles: create scoped API tokens, use service accounts where possible, and avoid pasting raw sensitive credentials into chat. Verify with finance/ops teams what data the agent may access and keep an audit trail of requests/responses. Because the skill currently contains TODOs for data sources, it will need explicit, secure integration to be useful — review those integrations and monitor activity once enabled.
Review Dimensions
- Purpose & Capability
- okName and description (CEO / KPI / finance / ops analysis) match the SKILL.md and the three reference documents. All TODOs reference expected data sources (ERP, dashboards, analytics) and nothing outside the stated domain is requested.
- Instruction Scope
- okRuntime instructions are limited to asking for data, analyzing KPIs/financials/ops, and returning structured insights. The skill does not instruct the agent to read arbitrary filesystem paths, exfiltrate data, call unexpected endpoints, or access unrelated environment variables.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). Nothing will be written to disk or downloaded by the skill itself.
- Credentials
- okNo required environment variables, credentials, or config paths are declared. References to external data sources are placeholders (TODO) and would require explicit connector configuration later; that is proportionate to the described purpose.
- Persistence & Privilege
- okSkill is not marked always:true and uses normal agent invocation. It does not request persistent modification of other skills or system-wide settings.