Skillv1.0.0

ClawScan security

Hershey Company · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 25, 2026, 9:03 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only informational skill about The Hershey Company with no code, installs, or credential requests; its declared purpose matches what it does.
Guidance: This skill is low-risk: it contains static, read-only content about Hershey and does not request credentials or install code. Before relying on the data for decisions, verify time-sensitive facts (revenues, market share, acquisitions) against up-to-date primary sources, since the SKILL.md may be outdated or incomplete. If you need automatic data refreshes or live financials, prefer a skill that explicitly integrates with a reputable financial data API and declares the appropriate credentials.

Purpose & Capability: okThe name and description promise company history, business model, market position and governance — the SKILL.md contains static company information that directly matches that purpose. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope: okThe SKILL.md is a short static data/information file and the read_when hints when the agent should consult it; it does not instruct the agent to read files, access credentials, call external endpoints, or perform system actions outside its informational scope.
Install Mechanism: okNo install spec and no code files are present (instruction-only), so nothing is written to disk or downloaded during install.
Credentials: okThe skill requests no environment variables, credentials, or config paths — proportionate for a read-only informational skill.
Persistence & Privilege: okalways is false and the skill is user-invocable; model invocation is allowed (the platform default) but this combined with the skill's lack of code or credentials does not increase risk.