Skillv2.0.1

ClawScan security

Ai Company Cfo 2.0.0 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 10:57 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and instructions are internally consistent with a CFO/financial-automation role — it asks for file and network access and describes payment/audit flows — but it can perform high-impact operations if runtime credentials or connectivity are provided, so exercise caution before granting access.
Guidance: This skill appears internally coherent for an automated CFO: it reads workspace files and is designed to call ERPs, cloud billing APIs, banks, and blockchain gateways. That means it could carry out high-impact actions if you provide runtime credentials or wide network access. Before installing or enabling it: (1) do not supply your primary bank/cloud credentials — create least-privilege service accounts or restricted API keys and scope them tightly; (2) restrict network access to only the specific endpoints you trust (ERP, bank, cloud billing, blockchain gateway) and audit outbound calls; (3) require explicit human confirmations and multi-party approvals for any high-value transactions (ensure the documented double-authorization is actually enforced by your environment); (4) review and vet the referenced dependent skills (HQ / CLO / Audit) since the CFO delegates certain actions via HQ routing; (5) monitor logs and audit trails for any unexpected automated transactions. If you want higher assurance, ask the author for an explicit list of external endpoints and the exact runtime checks used to enforce dual authorization and transaction limits.

Review Dimensions

Purpose & Capability: okName/description (AI Company CFO) match the declared permissions and content: the skill needs file read/write for financial records, network/api access for ERP/cloud/bank/blockchain integrations, and mcp permissions to route alerts or subagents. Dependencies on HQ/Audit/CLO skills are plausible for a multi-agent governance stack.
Instruction Scope: noteThe SKILL.md instructs the agent to read workspace files (SOUL.md, USER.md, memory/), evaluate metrics, and initiate operational actions including automated payments, chain transactions, and 'automatic execution' flows with double-signing/multi-sig. That behavior is coherent for a CFO skill but the document does not include concrete enforcement controls (e.g., explicit confirmation steps, allowed endpoints, or safe sandboxes). At runtime the skill could issue transactions or call external APIs if credentials and network access are available.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk from installation perspective. Nothing is downloaded or written by an installer according to the metadata.
Credentials: noteThe skill declares no required env vars or config paths, which is consistent with being instruction-only. However, the content assumes integration with cloud billing, bank APIs, blockchain gateways, and ERP systems — in practice those will need credentials at runtime. Requesting such credentials later would be proportionate to the purpose, but you should avoid supplying broad/shared credentials and prefer least-privilege API keys and isolated accounts.
Persistence & Privilege: okalways:false (not force-included) and no install makes this non-persistent. It does request mcp permissions (sessions_send, subagents) which fit a multi-agent CFO role; autonomous invocation is allowed by platform default and is not in itself a problem. There are no indications the skill modifies other skills' configs or claims permanent system-wide privileges.