Back to skill
Skillv1.0.0
ClawScan security
Orange · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 5:09 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a read-only, instruction-only skill that provides a company profile of Orange S.A.; its declared requirements and instructions are consistent with that purpose.
- Guidance
- This skill is a static company profile and poses low risk: verify any facts against primary sources (company filings, official site, financial databases) before using the data for investment decisions, and be cautious if you combine this skill with other network-enabled skills that could transmit data externally.
Review Dimensions
- Purpose & Capability
- okSkill name, description, and SKILL.md content all focus on providing corporate/market information about Orange S.A.; it requests no binaries, env vars, or config paths that would be unnecessary for that purpose.
- Instruction Scope
- okSKILL.md contains static content and a small 'read_when' trigger list (queries that should use this content). There are no instructions to read local files, access credentials, call external endpoints, or transmit data outside the agent, so the instruction scope stays within the stated purpose.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). Nothing will be written to disk or fetched during installation, which is the lowest-risk setup.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. There are no disproportionate or unexplained secret requests.
- Persistence & Privilege
- okalways is false and the skill is user-invocable (defaults). It does not request permanent presence or elevated privileges; autonomous invocation is permitted by platform default but is not combined with other red flags here.