Back to skill
Skillv1.0.0
ClawScan security
Home Depot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 3:26 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, informational skill about The Home Depot with no installs, no required credentials, and no instructions that access unrelated system data—its declared purpose matches what it does.
- Guidance
- This skill is informational only and doesn't ask for credentials or install anything, so it's low technical risk. However, the package lists no source or homepage — treat the content as unverified secondary material. If you will rely on this for decisions (investing, procurement), cross-check the facts against primary sources (Home Depot investor relations, SEC filings, reputable news). Because the agent can call skills autonomously by default, be mindful if you allow autonomous actions that use other skills with network access or credentials; this particular skill itself does not access external systems or secrets.
Review Dimensions
- Purpose & Capability
- okName and description are an informational/company profile. The SKILL.md contains historical, business-structure, and metric content consistent with that purpose. There are no requested binaries, env vars, or config paths that would be inconsistent with an informational skill. Note: the skill's source/homepage are unknown, so provenance and factual accuracy cannot be verified from the package itself.
- Instruction Scope
- okThe SKILL.md provides static content and guidance for when to read/use the skill (e.g., queries about Home Depot, industry analysis). It does not instruct the agent to read local files, access unrelated environment variables, call external endpoints, or collect/transmit data. No vague 'gather whatever context you need' language expands scope beyond an informational role.
- Install Mechanism
- okNo install specification and no code files — instruction-only. This is the lowest-risk install model; nothing is written to disk or downloaded.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. There are no secrets-exfiltration risks apparent from the manifest or SKILL.md.
- Persistence & Privilege
- okalways is false and there is no indication the skill modifies agent/system settings. The default ability for the agent to invoke the skill autonomously is present (platform default) but not combined with any other concerning privileges.