Back to skill
Skillv1.0.0
ClawScan security
Refund Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 11:38 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (helping with refunds/returns), it doesn't request credentials or perform network I/O, and its footprint is proportionate to the described functionality.
- Guidance
- This skill appears to do what it says: analyze order details and generate refund/return strategies and templates. Before installing: confirm you trust the host's shared LocalStore implementation (the skill stores data under 'refund-assistant'); review what data you will pass to the skill (orders may contain personal details); test in a sandbox if you want to verify there is no unexpected network activity; and remove or clear stored data if you don't want the assistant to retain past order information.
Review Dimensions
- Purpose & Capability
- noteName/description, SKILL.md, and the included index.js are consistent: platform rules, reason strategies, evidence lists, timeline and template generation all align with a refund-assistant. The only minor mismatch is that the code instantiates a LocalStore ('refund-assistant') for persistent storage which is not mentioned in SKILL.md — this is reasonable for caching but worth noting.
- Instruction Scope
- okSKILL.md contains only usage instructions and examples. The runtime code operates on order objects, computes timelines and steps, and generates templates; it does not read unexpected files, environment variables, or call external endpoints.
- Install Mechanism
- okNo install spec is present and the skill is instruction+code only. There are no downloads or external install steps. The code requires a shared LocalStore module by relative path, which implies reliance on the host environment but not an external network install.
- Credentials
- okThe skill declares no required env vars or credentials and the code does not access environment variables or secret values. The data it uses (order details) is reasonable and proportionate to the task.
- Persistence & Privilege
- noteThe skill uses a LocalStore('refund-assistant') for local persistence. This is scoped to the skill and not combined with 'always:true' or other elevated privileges, but users should be aware that the skill may store order-related data locally.