Skillv1.0.0

ClawScan security

Cb Shipping Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 22, 2026, 12:32 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, documentation, and runtime behavior align with a descriptive shipping‑recommendation tool; it requires no credentials or network access and does not perform unexplained actions.
Guidance: This implementation appears coherent and runs purely locally: it returns JSON built from hard-coded carrier scores, lane maps, and customs tables. Before relying on it for operational decisions, note: (1) carrier scores and duty thresholds are static and may be outdated or oversimplified (verify live rates and current regulations with carriers/customs authorities); (2) the parser uses simple regexes and defaults origin to China and default values (so check parsed input for accuracy); (3) if you need real-time pricing, tracking, or booking, you'd need to integrate carrier APIs (which would require credentials and network access); and (4) the skill does not exfiltrate data or request secrets. Overall it is internally consistent with its stated descriptive purpose.

Purpose & Capability: okName/description (international shipping optimizer) match the included files and logic. No unrelated binaries, env vars, or config paths are requested. The handler implements scoring, lane recommendations, customs guidance and cost strategies consistent with the stated purpose.
Instruction Scope: okSKILL.md promises 'pure descriptive' behavior with no exec/network/file writes; handler.py adheres to that (local computation, regex parsing, JSON output). The instructions do not ask the agent to read system files, call external endpoints, or access extra env vars.
Install Mechanism: okNo install spec is provided (instruction-only). There is no download/install step and no archives or third-party packages pulled in, minimizing install-time risk.
Credentials: okThe skill requests no environment variables or credentials. The code uses only the provided user_input and built-in data structures; no secret access is required or requested.
Persistence & Privilege: okalways is false, the skill does not modify other skills or system settings, and does not persist credentials or state beyond its own output.