Skillv1.0.0

ClawScan security

Pga · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 16, 2026, 10:57 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a read-only, instruction-only PGA Tour reference (in Chinese) that asks for no credentials, installs, or runtime actions and is internally consistent with its stated purpose.
Guidance: This skill is a static Chinese-language reference about the PGA Tour and appears safe to install: it requests no credentials and has no install or code. Keep in mind it is not a live-score or data-fetching tool—information may become outdated. If you need real-time schedules/results, prefer a skill or integration that explicitly declares the relevant API and credentials. If you require English content, note this skill is authored in Chinese.

Purpose & Capability: okName/description match the SKILL.md content: a static PGA Tour reference (schedules, rules, history, players). The skill declares no binaries, env vars, or installs—consistent with a documentation-style skill.
Instruction Scope: okSKILL.md is static content with a small 'read_when' hint list. It does not instruct the agent to read files, access environment variables, call external endpoints, or execute commands. It does not provide a mechanism for fetching live scores (this is a content limitation, not a security concern).
Install Mechanism: okNo install spec and no code files — lowest-risk, instruction-only skill. Nothing will be written to disk or downloaded as part of installation.
Credentials: okThe skill requires no environment variables, credentials, or config paths. There is no disproportionate access request relative to the described functionality.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level privileges or modify other skills' configurations. Autonomous invocation is allowed by default but is not combined with any broad access.