Skillv2.0.1

ClawScan security

Skill Market Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 21, 2026, 1:28 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to analyze the marketplace but the included code is a tiny, canned script that does not actually collect or analyze marketplace data, so the capability is overstated and the package is misleading.
Guidance: This package is effectively a stub: it promises marketplace analysis but only contains a simple shell script that writes a static report. Before installing or trusting results, consider: 1) Don’t expect real data-driven insights — the script does not fetch or analyze marketplace data. 2) If you need real analysis, ask for or inspect code that reads skill data (APIs, exports, or local datasets). 3) Verify the author/maintainer and request transparency about data sources and methods. 4) Running the script is low-risk (it only writes a local report file), but treat its output as placeholder text unless the skill is updated to include actual data collection and analysis.

Purpose & Capability: concernName/description promise: analyze OpenClaw skill marketplace and generate data-driven insights. Actual artefacts: a single small shell script that writes a static, hard-coded report; no code to fetch, parse, or analyze marketplace data. This is a clear mismatch — the skill does not implement the functionality it advertises.
Instruction Scope: concernSKILL.md directs the agent to run scripts/analyze.sh and states analysis is local and based on publicly available skill data. The script does not access any data sources, configuration, or environment variables and simply emits canned text. The instructions therefore overstate what will happen and could mislead users into believing a real analysis will be performed.
Install Mechanism: okNo install spec; the skill is instruction-only with a small shell script. Nothing is downloaded or written to system locations beyond the user-specified output file when the script runs.
Credentials: okThe skill declares no required environment variables, no credentials, and references no config paths. The static script does not access secrets or external services, so requested environment access is proportionate (none).
Persistence & Privilege: okalways is false; the skill does not request persistent presence, does not modify other skills, and contains no installation hooks. It only writes its output file when invoked.