Back to skill
Skillv1.0.0
ClawScan security
Ralph Lauren · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 10:58 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, read-only brand guide for Ralph Lauren; its declared purpose, runtime instructions, and requested capabilities are internally consistent and proportionate.
- Guidance
- This skill appears to be a self-contained reference about Ralph Lauren and is internally consistent. If you install it, note that: (1) it provides static content and cannot fetch live data or act on your behalf; (2) because the source and homepage are unknown, verify any critical facts (financials, personnel, exact figures) against official sources before using them in decisions; and (3) be alert if a future version begins requesting environment variables, installs, or network access — that would be a meaningful change in risk profile.
Review Dimensions
- Purpose & Capability
- okThe skill's name and description promise brand history, product-line explanation, and aesthetic analysis; the SKILL.md is exactly a brand guide covering history, product lines, positioning, and timelines. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okThe SKILL.md contains topical content and a small 'read_when' trigger list for when to present the information. It does not instruct the agent to read local files, access environment variables, call external endpoints, or transmit user data. The instructions are scoped to providing brand information and analysis.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only skill). This is the lowest-risk model: nothing is written to disk and no external packages or downloads are performed.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. That is proportional for a content-only informational skill.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system presence or modify other skills. Autonomous invocation is allowed (platform default) but presents minimal risk here because the skill has no external access or credentials.