Back to skill
Skillv1.0.0
ClawScan security
Bristol Myers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 5:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only company profile for Bristol Myers Squibb that requests no credentials or installs and is internally consistent with its stated purpose.
- Guidance
- This skill appears to be a straightforward, read-only company profile — it doesn't request credentials or install anything. Before relying on it for investment or medical decisions, verify key figures and claims (revenues, approvals, pricing) against primary sources (company filings, FDA, reputable financial news). If you need up-to-date or sourced information, prefer skills or tools that cite official data or allow linking to verified datasets.
Review Dimensions
- Purpose & Capability
- okThe skill name and description claim to provide a company profile and analysis; the SKILL.md is exactly that (history, business lines, metrics, analysis). There are no unexpected binaries, env vars, or external integrations requested that would be unrelated to an informational/company-profile skill.
- Instruction Scope
- okRuntime instructions are static content and 'read_when' triggers for delivering company information, competitive analysis, and investment context. The document does not instruct the agent to read local files, access environment variables, call external endpoints, nor exfiltrate data. The content contains factual claims that could be outdated or require verification, but that is a content-quality concern rather than a scope/security issue.
- Install Mechanism
- okNo install specification and no code files — instruction-only. This has minimal installation risk because nothing will be written to disk or fetched at install time.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate request for secrets or external credentials relative to the stated informational purpose.
- Persistence & Privilege
- okalways:false (default) and user-invocable:true. The skill does not request permanent presence, nor does it attempt to modify other skills or system configs. autonomous invocation remains possible but is standard platform behavior and not coupled with other red flags here.