Skillv1.0.0

ClawScan security

Instant Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 12:34 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (generate structured industry/company research reports) aligns with its instructions and resource lists; it is an instruction-only workflow that does not request credentials, binaries, or installs and therefore appears internally coherent.
Guidance: This skill is internally coherent for producing research reports and does not ask for secrets or installs. Before enabling it, confirm two operational points: (1) your agent platform supports the sessions_spawn subagent flow used here and you are comfortable with subagents performing web searches on your behalf; (2) the referenced output skills (minimax-docx and minimax-pdf) exist and are trusted, because they will receive the report content and produce final files. Also note the skill will fetch and embed many external URLs (some HTTP endpoints); avoid sending sensitive or confidential queries to this skill without reviewing organizational policies. If you need higher assurance, test with non-sensitive requests and inspect generated reports and cited URLs for correctness.

Review Dimensions

Purpose & Capability: okName, description, and the included references/quality checklist match the runtime instructions: the skill's goal is to collect authority sources, produce a multi‑chapter report, fact‑check it, and export DOCX/PDF. It does not request unrelated credentials or system access.
Instruction Scope: noteThe SKILL.md strictly requires searches and data gathering to be performed by spawned subagents (sessions_spawn) and forbids the main agent from searching directly; this is coherent for a multi‑stage pipeline but creates a dependency on the platform's subagent API. It also delegates final file generation to external skills (minimax-docx/minimax-pdf) — the risk/behavior of those skills is out of scope for this package and should be trusted separately.
Install Mechanism: okInstruction-only skill: no install spec, no downloads, no code files to execute. This is the lowest-risk install model.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The references list many public data sources (some HTTP endpoints) which are appropriate for the stated purpose. There is no unexplained request for secrets or unrelated credentials.
Persistence & Privilege: okalways:false and no attempt to modify other skills or system configuration. Autonomous invocation is permitted by default but this skill does not request elevated persistence or system privileges.