Skillv1.0.0

ClawScan security

Legal Regulatory Compliance Mapper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 26, 2026, 2:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a descriptive, instruction-only skill that matches its stated purpose (producing checklists, templates, and planning aids) and does not request credentials, install code, or perform network calls.
Guidance: This skill is a descriptive, document-only tool that appears coherent with its stated purpose. Before installing: (1) remember it is informational only and not a substitute for qualified, jurisdiction-specific legal advice; (2) avoid pasting privileged, confidential, or sensitive documents into the skill — you should redact or consult counsel first; (3) note the package has no homepage and the publisher is an ID only, so if provenance matters for your organization you may want to confirm the author or use an internally-vetted alternative; (4) because it solicits facts from you, verify any legal conclusions it informs with a qualified attorney.

Purpose & Capability: okName, description, README, SKILL.md, and skill.json all describe a document-only compliance-mapping helper. The package requests no binaries, env vars, or config paths. The lack of source/homepage is noted but does not contradict the skill's stated, non-executing purpose.
Instruction Scope: okSKILL.md limits the skill to asking for context and producing frameworks, checklists, templates, and planning aids; it explicitly disclaims code execution, external API calls, or data retrieval. It instructs the agent only to solicit user facts and generate textual outputs, which is consistent with the described purpose.
Install Mechanism: okThere is no install spec and no code files (instruction-only). No downloads, extracts, or package installs are present — this is the lowest-risk installation model and matches the acceptance criteria.
Credentials: okThe skill requires no environment variables, credentials, or config paths. SKILL.md does not request access to unrelated secrets. This is proportionate for a document-only legal workflow helper.
Persistence & Privilege: okThe skill does not request persistent or elevated privileges; always is false and it contains no self-modifying/install actions. Autonomous model invocation is allowed by platform default but not abused by the skill's content.