Back to skill
Skillv1.0.0
ClawScan security
Siriusxm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 17, 2026, 3:26 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a read-only, instruction-only informational skill about SiriusXM (company and services); it has no install steps, no requested credentials, and no instructions that access files or external secrets.
- Guidance
- This skill is essentially a static article about SiriusXM and appears safe to install from a technical/privilege perspective because it requests no credentials and performs no installs. Things to consider before installing: 1) the source/owner is unknown and SKILL.md contains factual claims (CEO, subscriber counts, acquisition amounts, satellite details) without citations — verify any sensitive business or legal decisions against authoritative sources; 2) because it is user-invocable and can be called autonomously by the agent (platform default), be aware the agent could quote or act on the content — ensure you trust its accuracy for downstream uses; 3) if you later extend this skill to perform network calls or access files, re-evaluate for credential requests and data exfiltration risks. Overall: coherent and low-risk as-is.
Review Dimensions
- Purpose & Capability
- okThe name/description claim an informational/reference capability about SiriusXM and the SKILL.md contains company/service background and data — nothing in the package asks for unrelated resources or privileges.
- Instruction Scope
- okSKILL.md is a static reference document with 'read_when' triggers and a factual writeup. It does not instruct the agent to read system files, access environment variables, call external endpoints, or exfiltrate data.
- Install Mechanism
- okNo install spec and no code files are present, so nothing will be downloaded or written to disk by the skill.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths — consistent with an informational skill.
- Persistence & Privilege
- okalways is false and the skill does not request elevated/system-wide persistence or modification of other skills; autonomous invocation is allowed by platform default but not a unique risk here.