Back to skill
Skillv2.0.0
ClawScan security
Nonprofit Management · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 12:11 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources, instructions, and included reference materials are consistent with a nonprofit operations assistant and do not ask for unrelated credentials or install actions.
- Guidance
- This skill appears coherent and advisory-only, but be cautious with real donor or PII: test with dummy data first and confirm how your OpenClaw host stores, logs, or shares conversation contents. Verify organizational privacy controls before providing donor lists or sensitive financial details. If you plan to use outputs for filings or legal compliance, have a CPA or attorney review (the skill itself warns to do so). If you intend to use integrations (emailing donors, calendar alerts, CRM exports), ensure those connectors request only the minimal credentials and audit where data is sent.
Review Dimensions
- Purpose & Capability
- okName and description (IRS compliance, grant/donor/board operations) match the SKILL.md content and the reference files. The skill does not request unrelated binaries, credentials, or config access that would be disproportionate to its stated purpose.
- Instruction Scope
- noteSKILL.md is purely advisory and provides templates, reminders, and checklists; it explicitly constrains itself (no legal advice, no filing of returns, treat donor info as confidential). Important operational detail: because this is instruction-only, the skill's runtime behavior depends entirely on the hosting agent — the instructions do not describe how donor data is stored, transmitted, or logged. The SKILL.md does not instruct reading system files, environment variables, or posting data to third-party endpoints.
- Install Mechanism
- okNo install specification and no code files to execute — lowest install risk (instruction-only skill).
- Credentials
- okNo required environment variables, no primary credential, and no config paths requested. The lack of credential requests is proportionate to a guidance/templates skill that does not directly integrate with external systems.
- Persistence & Privilege
- okalways is false and default autonomous invocation is permitted (normal). The skill does not request persistent system-wide privileges or modify other skills' configurations in its instructions.