Back to skill
Skillv1.0.3
ClawScan security
Card Profile Recommend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 1:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and optional environment access are coherent with its stated purpose of analyzing card portfolios and recommending cards.
- Guidance
- This skill looks coherent for recommending and grading credit cards. Before using it: (1) only provide card names and optional opening dates — do not share card numbers, account logins, Social Security numbers, or other sensitive credentials; (2) you don't need to supply BRAVE_API_KEY or install curl unless you want the optional Brave-search path — avoid giving API keys unless you trust the skill owner; (3) cross-check any issuer-rule claims the skill makes (5/24, lifetime bonuses, etc.) against issuer terms before acting; (4) if you plan to let agents run autonomously, remember this skill will fetch web pages when invoked — enable it only when you are comfortable with that behavior.
Review Dimensions
- Purpose & Capability
- okThe name and description (portfolio grading, issuer rules, churn strategy, application sequencing) match the SKILL.md workflow. Required capabilities are limited to web search/fetch and asking the user for their card list and optional opening dates — all reasonable for this functionality.
- Instruction Scope
- noteInstructions are focused on searching issuer and approved secondary pages, normalizing card names, computing 5/24 when opening dates are provided, and producing recommendations. The skill expects user-supplied card names and optionally opening dates (sensitive financial metadata). It explicitly forbids executing shell commands with interpolated URLs and limits fetches to HTTPS + approved domains, which reduces risk. Users should avoid submitting account numbers, full PANs, login credentials, or other sensitive PII — the skill does not need them.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files. That is the lowest-risk install posture; nothing is written to disk or fetched for execution by the skill itself.
- Credentials
- okNo required environment variables or credentials. One optional variable (BRAVE_API_KEY) and an optional binary (curl) are referenced for an alternate search path; both are optional and proportionate to a web-search optimization. No unrelated secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent system privileges or configuration changes. Autonomous invocation is permitted by platform default but is not combined with other elevated privileges or broad credential access here.