Back to skill
Skillv1.0.10
ClawScan security
Card Full · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 1:24 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only web-research helper for producing credit-card reports; its declared requirements and runtime instructions are coherent and proportionate to that purpose.
- Guidance
- This skill appears to do what it says: it searches the web and compiles a credit-card report and only optionally uses a Brave Search API key if you provide it. Before installing, consider: (1) you must trust the platform's WebSearch/WebFetch tools because the skill fetches live pages; (2) BRAVE_API_KEY is optional—only supply it if you want the Brave-search path; (3) confirm the full SKILL.md (the excerpt showed a truncation) to ensure there are no hidden instructions to read local files or request unrelated secrets; and (4) the skill may surface live public offers that change frequently—verify critical financial details against issuer pages before acting.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime instructions: the skill uses web search/fetch and user prompts to compile card reports. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- noteInstructions confine actions to WebSearch/WebFetch and AskUserQuestion and only optionally use a BRAVE_API_KEY + curl. There is some ambiguity about what counts as 'approved secondary pages' and the provided SKILL.md text in the prompt was truncated — if the real SKILL.md contains additional steps (e.g., reading local files or other env vars), that could change the assessment.
- Install Mechanism
- okNo install spec or code files — instruction-only skill, so nothing is written to disk by the skill itself.
- Credentials
- okNo required environment variables or credentials. BRAVE_API_KEY and curl are explicitly optional and reasonable for an alternate search path.
- Persistence & Privilege
- okalways:false and no special system config or cross-skill modification. Normal user-invocable/autonomous invocation defaults apply.