Back to skill
Skillv1.0.0
ClawScan security
Dunkin Donuts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 22, 2026, 10:04 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only informational skill about the Dunkin' brand that requests no binaries, credentials, or installs and whose behavior is consistent with its description.
- Guidance
- This skill is just a static informational document about Dunkin' and does not request any permissions, installs, or credentials — low technical risk. Two things to consider before installing: (1) the skill's source/publisher is unknown (no homepage or verified owner information), so treat provenance and future updates with caution; (2) SKILL.md contains a 'trigger: always_on' line that conflicts with the registry's always:false flag — ask the publisher to confirm whether the skill will run persistently. If you require only read-only brand info, this skill is proportionate; avoid enabling it with elevated privileges unless the publisher's intent is clarified.
Review Dimensions
- Purpose & Capability
- okThe SKILL.md is an informational overview of Dunkin' (history, business model, facts). The name and description match the content and there are no unrelated requirements (no env vars, binaries, or config paths).
- Instruction Scope
- noteThe runtime instructions are purely static content and do not instruct the agent to read files, call external endpoints, or access secrets. Note: the SKILL.md begins with 'trigger: always_on', which suggests it intended to be always-active, but the registry metadata shows always:false — a minor inconsistency in trigger intent.
- Install Mechanism
- okNo install spec and no code files are present. Being instruction-only means nothing is written to disk or fetched at install time.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate request for secrets or access relative to the stated informational purpose.
- Persistence & Privilege
- noteRegistry flags show always:false and normal autonomous invocation settings. The SKILL.md's 'trigger: always_on' conflicts with the registry flag; if the author intended persistent/always-on behavior that would be a higher privilege and should be clarified before enabling.