Skillv1.0.0

ClawScan security

Progressive Corp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 5:20 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is an instruction-only, read-only informational summary about Progressive Insurance; it requests no credentials, performs no installs, and appears to only serve as a knowledge prompt (though its description slightly overstates functional capabilities).
Guidance: This skill is essentially a static knowledge article about Progressive Insurance and does not perform pricing, shopping, or transactions. It does not request credentials or install anything, so it is low-risk to install from a technical perspective. Two cautions: (1) the skill's description wording may overpromise—do not expect it to interact with insurance systems or give live quotes; (2) source/homepage are not provided, so verify facts (numbers and dates) against official or authoritative sources before relying on them for decisions. If you need to buy insurance or get live pricing, use Progressive's official channels or verified integrations that explicitly require and justify credentials.
Findings: [no-findings] expected: The regex-based scanner had no files other than SKILL.md to analyze; for an instruction-only knowledge skill this is expected.

Purpose & Capability: noteThe skill description implies offering pricing/comparison services, but the SKILL.md contains only historical, business, and product information for Progressive Insurance. No APIs, endpoints, or transactional capabilities are declared or required — the descriptive text overpromises functionality compared with the actual instruction content.
Instruction Scope: okSKILL.md instructs the agent to present company history, business model, moat analysis, and key facts when users ask about Progressive; it does not direct reading of unrelated files, environment variables, system paths, or transmitting data to external endpoints.
Install Mechanism: okThere is no install spec and no code files. This is the lowest-risk model: nothing is written to disk or fetched at install time.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. No secrets are requested or needed for the documented behavior.
Persistence & Privilege: okFlags are default (always: false, user-invocable true). The skill does not request permanent presence or elevated privileges, and it does not modify other skills or system-wide settings.