Skillv1.0.0

ClawScan security

Columbia Sportswear · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 19, 2026, 6:08 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that provides a company profile of Columbia Sportswear; its declared capabilities, instructions, and requirements are internally consistent and request no sensitive access.
Guidance: This skill is essentially a static company profile and appears low-risk: it asks for nothing sensitive and contains only informational text. However, the source/publisher is unknown — if you rely on this for decisions, verify facts against authoritative sources (company filings, official site). Because the skill can be invoked autonomously by the agent (normal default), avoid combining it with other skills that do request credentials. If you need stronger assurance, prefer skills from verified publishers or those that reference authoritative data sources.

Purpose & Capability: okThe skill name and description match the SKILL.md content (a company/market profile). It declares no binaries, env vars, or config access that would be unrelated to providing company information.
Instruction Scope: okSKILL.md contains only profile text and explicit 'read_when' triggers about researching company info, market position, and investment/competitive analysis. It does not instruct the agent to read local files, environment variables, or send data to external endpoints.
Install Mechanism: okNo install spec and no code files — instruction-only. Nothing is downloaded or written to disk by the skill itself.
Credentials: okThe skill requests no environment variables, credentials, or config paths; there is no disproportionate or unexplained credential access.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal model invocation allowed. It does not request permanent presence or modify other skills/configurations.