Skillv1.0.2

ClawScan security

Incorporate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 7:54 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions match its stated purpose (generating incorporation documents); it is internally coherent, with only minor implementation/packaging omissions you should be aware of.
Guidance: This skill appears to do what it says: it contains state-specific references, document templates, example configs, and a Python generator that outputs .docx files. Before installing or running: 1) Note there is no install spec — ensure the runtime has python-docx (and PyYAML if you use YAML configs) installed (pip3 install python-docx pyyaml). 2) SKILL.md mentions uploading to Google Drive but the included script does not implement Drive uploads or handle Drive credentials; if you plan to use Drive output, add a secure upload step and explicitly provide credentials only when needed. 3) Review the templates for any personally identifying data before using or uploading to cloud storage (addresses, SSNs are not present in templates but generated documents will include whatever you supply). 4) This tool generates legal documents but is not a substitute for legal advice — consult a lawyer for complex cap tables, multi-class preferred financing, or investor negotiations. 5) If you want stricter supply-chain hygiene, ask the publisher to declare runtime dependencies and provide an install spec or packaged environment (requirements.txt) so dependency installation is explicit.

Review Dimensions

Purpose & Capability: okName/description promise (generate Articles/Bylaws/Operating Agreements, ledgers, checklists) aligns with included templates, references, example configs, and the generator script (scripts/generate.py). The templates cover Nevada and Delaware and the generator substitutes variables and emits .docx, which is appropriate for the stated purpose.
Instruction Scope: noteSKILL.md confines actions to collecting user config, reading local reference files/templates, generating documents, and delivering outputs. One minor mismatch: SKILL.md mentions uploading to Google Drive, but there is no code in scripts/generate.py that performs Google Drive uploads or instructions for Drive credentials — upload is only supported conceptually via a google_drive_folder_id in the config template. Otherwise the runtime instructions stay within the stated purpose and do not request unrelated system data.
Install Mechanism: noteNo install spec (instruction-only) which minimizes risk; however scripts/generate.py depends on python-docx and optionally PyYAML. Those dependencies are not declared in registry metadata and no installer is provided. The generator prints a pip install hint and exits if python-docx is missing. This is a packaging/operational omission, not malicious (no external downloads or obscure install URLs in the package).
Credentials: okThe skill requests no environment variables, secrets, or config paths. The config template includes an optional google_drive_folder_id field — using Google Drive would require credentials, but those are not requested by the skill as packaged, so no unexplained credential access is present.
Persistence & Privilege: okSkill is not always-enabled, does not request persistent system privileges, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other concerning factors.