Skillv1.0.0

ClawScan security

Aperol · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 1:05 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only, informational skill about Aperol/Aperol Spritz that requests no credentials, installs nothing, and its runtime instructions are purely static content consistent with the stated purpose.
Guidance: This skill appears to be a harmless informational/reference document about Aperol and the Aperol Spritz. Before installing, note that the registry metadata lists no source or homepage — the content’s factual claims (sales figures, dates, growth rates) are not sourced within the SKILL.md. If you rely on these numbers for research or business decisions, verify them against reputable sources. Because the skill requests no credentials, performs no installs, and contains no code, the main risk is misinformation rather than technical compromise.

Purpose & Capability: okThe name and description (Aperol / Aperol Spritz marketing/history) match the SKILL.md content. The skill declares no binaries, env vars, or install steps — which is proportionate for an informational/reference skill.
Instruction Scope: okSKILL.md is static content (history, marketing notes, recipe proportions). It does not instruct the agent to run shell commands, read files, access environment variables, or transmit data to external endpoints. No scope creep detected.
Install Mechanism: okNo install spec and no code files are present. Because this is instruction-only, nothing is written to disk and there is no installation risk.
Credentials: okThe skill requires no environment variables, credentials, or config paths. There are no requests for secrets or unrelated service tokens — proportional for an informational skill.
Persistence & Privilege: okalways is false and the skill does not request elevated or persistent privileges. Autonomous invocation is allowed by default but is not combined with other risky behaviors here.