Skillv1.0.0

ClawScan security

Legal Ip Portfolio Audit Guide · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 26, 2026, 10:50 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a document-only IP-audit guidance skill whose stated purpose matches its files and runtime instructions; it requests no credentials or installs no code — but because the source is unknown, avoid pasting privileged/confidential client data and verify the publisher before relying on outputs for legal decisions.
Guidance: This package is a text-only checklist/template guide and appears consistent with its stated purpose. Before installing or invoking it: (1) do not paste privileged or confidential client information into the skill — its outputs are informational and may be stored or logged by the agent; (2) verify the publisher/source if you need provenance or auditability (the package lists no homepage and the source is 'unknown'); (3) treat outputs as planning aids only and have a qualified attorney verify any legal conclusions, jurisdictional rules, deadlines, or filings; (4) if you require stronger guarantees (e.g., internal retention, non-disclosure, or provenance), prefer guidance from a known/trusted source or from your firm’s internal templates.

Purpose & Capability: okThe name/description (IP portfolio audit checklists/templates) align with the package contents: SKILL.md, README.md and skill.json provide descriptive guidance. There are no unrelated requirements (no binaries, env vars, or external APIs) that would be incoherent with the stated purpose.
Instruction Scope: noteSKILL.md stays within descriptive workflow guidance and explicitly disclaims legal advice and automation (no network calls, no filings). It asks the agent to collect facts, documents, dates and other context from the user — appropriate for an audit but creates the real-world risk that users may be prompted to disclose privileged or sensitive client data. The skill itself does not instruct reading system files, accessing hidden endpoints, or transmitting data externally.
Install Mechanism: okNo install spec and no code files are present (instruction-only). This is the lowest-risk install surface: nothing will be written to disk or executed by the agent as part of the skill.
Credentials: okThe package requires no environment variables, credentials, or config paths. There are no disproportionate secret or credential requests relative to the described functionality.
Persistence & Privilege: okalways:false and user-invocable:true (normal defaults). The skill does not request persistent presence, system-wide configuration changes, or access to other skills' credentials.