Skillv1.1.0

ClawScan security

tim-hortons-ca · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 12:06 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This instruction-only skill is internally consistent: it offers informational analysis about Tim Hortons Canada and requests no credentials, installs, or system access.
Guidance: This skill is low risk and coherent with its stated purpose: it provides descriptive analysis about Tim Hortons in Canada and asks for no credentials or installs. Two practical notes before installing: (1) the skill's source/homepage is unknown—if provenance matters to you, prefer skills with a verifiable author or homepage; (2) the SKILL.md contains factual claims (store counts, revenues, penetration rates) that may be estimates or become outdated—verify critical data against primary sources (RBI filings, official reports, reputable news) before relying on them for decisions.

Purpose & Capability: okThe name/description (Tim Hortons Canada analysis) matches the SKILL.md content, which is purely informational market/brand analysis. No unrelated resources, binaries, or credentials are requested.
Instruction Scope: okSKILL.md contains only textual analysis, history, and data points. It does not instruct the agent to read files, access environment variables, call external endpoints, or perform system actions.
Install Mechanism: okNo install spec is present and there are no code files—this is an instruction-only skill, so nothing is written to disk or installed.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Nothing disproportionate is required for its stated informational purpose.
Persistence & Privilege: okalways is false and the skill does not request special privileges or modify system/agent settings. Normal autonomous invocation is allowed (platform default) but there is no additional persistence or privilege requested.