Skillv1.0.0

ClawScan security

Corporate Credit Memo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 10:32 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests, instructions, and included reference files are coherent with its stated purpose of producing institutional credit memos; it does not request unrelated credentials, installs, or elevated privileges.
Guidance: This skill appears internally consistent and appropriate for generating credit memos, but before installing or using it consider: (1) confidentiality — uploaded annual reports/financials can contain sensitive or regulated data, so confirm where files are processed/stored (LLM provider logs, third-party services) and that this meets your institution's data-handling policy; (2) validation — many items are flagged [TO BE CONFIRMED] (RAROC, RWA, internal policy thresholds) and must be completed by your internal teams before submission to a credit committee; (3) parsing capability — the skill claims to handle PDFs, Word, and some non-English documents but relies on the agent/platform for extraction/translation; test with non-sensitive examples to confirm accuracy and formatting (DOCX layout, tables, colour scheme); (4) regulatory/legal checks — the skill is an aid, not legal or regulatory advice; ensure legal and compliance review of security/enforceability sections before relying on them. If you need higher assurance, ask the author (or repo) where file extraction and web queries are executed (locally/on-platform/third-party) and whether any telemetry or logs are retained.

Review Dimensions

Purpose & Capability: okName/description (generate credit memos from uploaded reports) aligns with the actual requirements and behavior: no environment variables, no unrelated binaries, and included references support the described output. The claim to handle Chinese-language source documents is plausible for an instruction-only skill but implicitly depends on the agent or platform having appropriate parsing/translation capabilities.
Instruction Scope: okSKILL.md stays within the stated purpose: it directs intake questions, reading of uploaded financial documents, local reference files, and read-only web search to supplement analysis. It explicitly flags internal items as [TO BE CONFIRMED] and forbids fabrication. The instructions do involve processing potentially sensitive uploaded documents — appropriate confidentiality controls should be considered on the hosting platform, but this is expected for the skill's function.
Install Mechanism: okNo install spec and no code files (instruction-only) — lowest risk install surface. Nothing is downloaded or written to disk by an installer according to the manifest.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does not require unrelated secrets or system access; requested inputs (uploaded reports, deal parameters) are proportionate to the task.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges or to modify other skills. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges here.