Back to skill
Skillv1.0.0
ClawScan security
Bosch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 2:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill is an instruction-only, read-only company profile of Bosch and its requests and behavior are consistent with that purpose (no installs, no secrets, no file or network instructions).
- Guidance
- The skill is low-risk and internally consistent: it simply provides a static company profile of Bosch with no installs, no secret access, and no file or network actions. Considerations before installing: (1) provenance — the SKILL.md has no source link or homepage, so verify important facts against authoritative sources before using for decisions (e.g., investments); (2) this is static text — it won't fetch live data or filings, so for up-to-date financials or regulatory details use official filings/websites; (3) if you plan to republish or redistribute content, check copyright/licensing of the source material. Otherwise there are no technical red flags.
Review Dimensions
- Purpose & Capability
- okThe skill name and description claim a corporate profile and market analysis of Bosch; the SKILL.md contains static company history, business breakdown, and key metrics — nothing requested (no env vars, binaries, or installs) is inconsistent with an informational/company-profile skill. The source/homepage is missing which affects provenance but not coherence.
- Instruction Scope
- okThe runtime instructions are purely informational and include a 'read_when' list describing when to consult the document. There are no directives to read local files, access environment variables, call external endpoints, or transmit data elsewhere — scope remains within the stated purpose.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). This produces a minimal disk and runtime footprint and is proportionate to an informational skill.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. That is appropriate for a static company profile and raises no concerns about secret access or credential misuse.
- Persistence & Privilege
- okalways:false (not forced), user-invocable:true, and normal autonomous invocation allowed — these settings are typical. The skill does not request persistent system presence or modify other skills or system settings.