Skillv1.0.0

ClawScan security

Mondalez · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 3:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only content skill that provides static, topical information about Mondelez and does not request credentials, install code, or access system resources—its declared purpose matches what it contains.
Guidance: This skill is low-risk from a technical-permission perspective because it is instruction-only and asks for no credentials or installs. However, note the source and homepage are unknown: verify any factual claims (revenues, market share, timelines) against primary sources (Mondelez investor relations, SEC filings, reputable industry reports) before using the data for decisions. If you require provenance or citations, ask the skill author for sources or prefer skills/publications with clear attribution. If you have a policy against third-party content with unknown origin, treat this as unverified background material rather than authoritative data.

Purpose & Capability: okThe name and description promise insights on Mondelez' brands and strategy; the SKILL.md contains exactly that kind of market/brand/history content. There are no unrelated requirements (no env vars, binaries, or config paths).
Instruction Scope: okSKILL.md is a static content/information document (brand timeline, business model, key data). It does not instruct the agent to read files, access environment variables, call external endpoints, or transmit data elsewhere. The only risk is factual accuracy, not scope creep.
Install Mechanism: okNo install specification or code files are included. As an instruction-only skill, nothing is downloaded or written to disk by the skill itself.
Credentials: okThe skill requests no environment variables, credentials, or configuration paths—there is no disproportionate access requested relative to its purpose.
Persistence & Privilege: okalways:false and default invocation settings are used. The skill does not request permanent/system-level presence or modify other skill configs.