Skillv1.0.0

ClawScan security

M And M · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 24, 2026, 4:03 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only skill that provides static marketing/history content about M&M's and requests no installs, credentials, or system access — its declared purpose matches its footprint.
Guidance: This skill is a static informational package about the M&M's brand and appears coherent and low-risk: it asks for nothing and installs nothing. Before installing, consider: (1) the publisher is unknown and there's no homepage — if provenance matters to you, ask the publisher for a source or prefer skills from known authors; (2) content accuracy is not guaranteed — if you need authoritative facts (sales, dates), verify against primary sources; and (3) since it can be invoked by the agent, be aware it may be called automatically but it has no privileges or access to your environment.

Purpose & Capability: okName and description are a simple brand/history summary; the skill requires no binaries, env vars, or config paths, which is proportional to a read-only informational skill.
Instruction Scope: okSKILL.md contains only descriptive text and read_when guidance for when to use the content. It does not instruct the agent to run commands, read files, access env vars, or transmit data to external endpoints.
Install Mechanism: okNo install spec and no code files — lowest-risk model (instruction-only). Nothing is written to disk or fetched at install time.
Credentials: okThe skill declares no environment variables, credentials, or config paths; there is no disproportionate access requested.
Persistence & Privilege: okalways is false and the skill does not request elevated persistence. disable-model-invocation is default (false), meaning the agent may call it autonomously which is normal — combined with the skill's lack of privileged access this is not a concern.