1.2.0
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a benign data-quality operations skill, with low-level cautions about local command use, saved reports, and one helper script naming mismatch.
This skill is reasonable for data-quality operations. Before installing or using it, confirm that your local `dq` and `workflow` commands are trusted, review any anomaly-opening action before it creates follow-up records, and keep generated reports free of secrets or unnecessary sensitive business details.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with the wrong dataset or metric, the agent could run checks or open anomaly follow-up items in the wrong operational context.
The skill documents local operational commands, including an `--open` anomaly action that may create follow-up records. This fits the data-quality purpose but should be directed at the correct dataset and approved workflow.
`dq profile --dataset <name>`; `dq validate --rule-set <id>`; `dq anomaly --open --metric <name>`
Confirm the dataset, rule set, metric, owner, and desired ticket/open action before letting the agent run these commands.
The mismatch may make it harder to verify package identity or provenance, though no unsafe behavior is shown in the script.
The healthcheck script echoes a different skill name than `data-quality-operations`, suggesting a packaging or copy-paste inconsistency. The script itself only prints text and does not perform harmful actions.
echo "ok: pipiwu-benchmark-delta-skill 1.2.0"
Treat this as a package hygiene issue: verify the source if provenance matters, and ask the maintainer to correct the healthcheck label.
Generated reports or notes could preserve sensitive operational details and later be reused or shared outside the intended audience.
The skill expects persistent operational artifacts. This is appropriate for audit and handoff, but those artifacts may contain dataset names, failure details, owners, deadlines, or follow-up context.
Save output artifacts for audit and handoff.
Store reports only in approved locations, omit secrets or unnecessary sensitive details, and review handoff artifacts before sharing.