Back to skill
Skillv1.0.0
ClawScan security
Oslo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 6:06 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a self-contained, instruction-only city-profile skill about Oslo; it requires no installs or credentials and its requested capabilities match its stated purpose.
- Guidance
- This skill appears to be a harmless, read-only city profile. Before relying on it: note the source/homepage is missing and the publisher identity is opaque, so verify any facts (population, EV share, fund values, dates) against authoritative sources before using them for decisions—especially financial or investment decisions. If you plan to use the content programmatically or as factual input, ask the maintainer for citations or add provenance checks. Otherwise there are no technical permission risks in installing this skill.
- Findings
[no-findings] expected: The regex scanner found nothing to analyze because the skill is instruction-only (single SKILL.md). That is expected for a static content skill.
Review Dimensions
- Purpose & Capability
- okThe name/description and SKILL.md content all describe a city profile and business/market notes about Oslo. The skill declares no binaries, env vars, or config paths — which is proportionate for an informational skill. The 'read_when' triggers (e.g., preparing investment analysis or competitor comparisons) are plausible uses for this content.
- Instruction Scope
- okSKILL.md is static content (text, tables, guidance) and does not instruct the agent to run commands, read local files, access environment variables, or transmit data to external endpoints. Triggers are limited to when the agent should use this content; there is no scope creep in the instructions.
- Install Mechanism
- okThere is no install spec and no code files; this is instruction-only. That minimizes disk writes and runtime installation risk.
- Credentials
- okThe skill requests no environment variables or credentials. Nothing in the manifest asks for access to unrelated services or secrets.
- Persistence & Privilege
- okThe skill is not forced-always and uses default autonomous-invocation behavior. It does not request persistent system privileges or modify other skills' configurations.