Skillv1.0.0

ClawScan security

Deloitte · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 22, 2026, 6:03 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only, informational skill about Deloitte with no installs, no requested credentials, and no instructions to access local files or external services — it appears coherent with its stated purpose.
Guidance: This skill is informational only and does not request credentials or install software, so it is low risk from a security perspective. Two non-security notes before installing: (1) the source/homepage are unknown — if you need authoritative or up-to-date Deloitte data for business or compliance decisions, verify against official Deloitte publications; (2) because it's instruction-only and can be invoked by the agent, avoid granting it access to private documents or secrets when asking about sensitive matters (the skill itself doesn't require them, but an agent could combine skills).

Purpose & Capability: okThe name/description (Deloitte corporate profile) aligns with the SKILL.md content (company history, business lines, data). The skill does not request unrelated binaries, env vars, or resources.
Instruction Scope: okSKILL.md provides purely informational content and a small 'read_when' meta list for when the agent should consult it; it does not instruct the agent to read arbitrary files, access credentials, or transmit data externally.
Install Mechanism: okNo install spec and no code files are present, so nothing will be written to disk or executed during installation.
Credentials: okThe skill requires no environment variables, credentials, or config paths — there is no disproportionate access requested.
Persistence & Privilege: okalways is false and the skill does not request persistent or cross-skill configuration changes. It can be invoked autonomously (platform default) but its scope is informational.