Back to skill
Skillv1.0.0
ClawScan security
Gucci Brand · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 3:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only, read-only skill that provides a short brand overview of Gucci; it requests no credentials, installs nothing, and its runtime instructions are limited to serving static content — main non-security issue is missing provenance for the facts it presents.
- Guidance
- This skill is an instruction-only content provider about Gucci and does not request permissions or install code, so it is coherent and low-risk from a security standpoint. Two practical cautions: (1) Source provenance is missing — the SKILL.md includes concrete figures and claims (revenues, percentages, timelines) but does not cite sources; verify any business-critical data before relying on it. (2) Because it's static text, information may be out of date; if you need authoritative or up-to-date facts (financials, leadership changes, policy statements), consult primary sources (company reports, press releases, or reputable news) rather than relying solely on this skill.
Review Dimensions
- Purpose & Capability
- okThe name/description match the content: the skill is a simple informational Gucci brand summary. It does not request unrelated binaries, env vars, or config paths, so requested capabilities are proportionate to its stated purpose.
- Instruction Scope
- noteSKILL.md is limited to static content and a small set of trigger conditions (read_when). It does not instruct the agent to read files, call external endpoints, or access credentials. However, the content contains factual claims (revenues, percentages, dates) without cited sources; this is a provenance/accuracy concern rather than a security one.
- Install Mechanism
- okNo install specification and no code files — the lowest-risk pattern. Nothing will be written to disk or downloaded by the skill itself.
- Credentials
- okThe skill requests no environment variables, credentials, or configuration paths. There is no disproportionate access to secrets or unrelated services.
- Persistence & Privilege
- okDefaults are used (not always: true). The skill is user-invocable and may be invoked autonomously by the agent (platform default), which is reasonable for a read-only informational skill and not, on its own, a security concern.