Back to skill
Skillv1.0.0
ClawScan security
Bridge Water · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 9:03 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, informational skill about Bridgewater Associates with no installs, no credential requests, and nothing in the runtime instructions that attempts to access system files or external services — it appears to do what it says.
- Guidance
- This skill is informational only and does not request credentials or install software, so its direct security risk is low. Before installing: (1) confirm the platform enforces the registry 'always:false' flag since SKILL.md contains a conflicting 'trigger: always_on' line, and (2) remember that autonomous invocation is allowed by default on the platform — although this skill's content is read-only, review agent invocation policies if you prefer to restrict any third-party skills. If you need provenance, note the skill's source/homepage is unknown; treat factual claims as unverified and cross-check important data.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md content: a factual/analytical briefing on Bridgewater Associates. The skill declares no binaries, env vars, or installs — appropriate for a read-only informational skill.
- Instruction Scope
- noteSKILL.md is purely descriptive and scoped to topics to 'read when' discussing Bridgewater; it does not instruct the agent to read files, access credentials, or call external endpoints. One minor inconsistency: the top of SKILL.md includes 'trigger: always_on', but the registry metadata shows always:false. This is an internal mismatch in the instructions vs. registry flags (likely benign), but worth verifying.
- Install Mechanism
- okNo install spec and no code files. The skill is instruction-only, so nothing will be downloaded or written to disk during installation.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. There are no unexplained secret/token demands.
- Persistence & Privilege
- noteRegistry flags show always:false and normal autonomous invocation settings. The SKILL.md's 'trigger: always_on' line conflicts with that policy — the skill itself cannot force platform behavior, but confirm the platform respects registry flags if you are concerned about persistent activation.