Skillv1.0.0

ClawScan security

Card Wallet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 1:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions are coherent with an online wallet-audit tool: it only uses web search/fetch, asks the user for ambiguous input, and optionally uses a Brave API key if supplied.
Guidance: This skill appears to do what it says: it will search issuer websites and approved secondary sources to produce an audit of your card lineup. Because it fetches public web pages, it may return outdated or incomplete information — verify benefits/credits on issuer sites before acting. You do not need to provide any secrets or card numbers; never share full card numbers, CVV, SSN, or other sensitive data when asking for a wallet audit. Supplying a BRAVE_API_KEY is optional and would only be used to run Brave Search calls instead of the platform's default WebSearch. If you want the agent to act autonomously, remember it can run searches by itself, but this skill does not request extra system access or install components.

Purpose & Capability: okName/description (wallet audit across issuers) match the instructions: the SKILL.md relies on WebSearch/WebFetch to gather issuer benefit pages, resolves card names, and analyzes earns/fees. There are no unexpected credentials, binaries, or installs required for this stated purpose.
Instruction Scope: okInstructions are bounded to parsing card lists, resolving identities, searching/fetching issuer and approved secondary pages, and producing an analysis. The skill will ask follow-up questions for ambiguous inputs. It does not instruct reading unrelated system files or environment variables beyond an optional search API key.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk and no external packages are pulled. This is the lowest-risk installation model and matches the skill's behavior.
Credentials: okNo required environment variables or credentials are declared. One optional environment variable (BRAVE_API_KEY) is listed for an alternative search path, which is proportionate and clearly described. No other secrets or unrelated env vars are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent presence or system-wide configuration changes. Autonomous invocation is allowed by default but is not combined with any elevated privileges or broad credential access.