Skillv0.1.0

ClawScan security

Budget Intel · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 1:50 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions are generally consistent with its stated purpose (public-source budget estimation using a local Python engine), but there are minor mismatches between declared tools and the SKILL.md tooling names that you should confirm before installing.
Guidance: This skill appears to do what it says: gather public-company signals and compute budget ranges locally. Before installing, verify two things: (1) confirm that the runtime exposes the tools SKILL.md expects (web_search / tavily-search / deep-research-pro) or that they are mapped to the functions listed in tools_schema (search_company_info, search_tender_info, etc.); mismatches could cause failures or unexpected fallback behaviors. (2) Inspect the full budget_engine.py (the manifest shows a truncated file) to ensure no hidden network/subprocess calls or telemetry are present. Also validate any test/CLI commands in TEST_CASES.md (they reference 'python3 budget_engine.py test') actually exist. If you plan to run this against sensitive targets, remember it will perform web searches and assemble open-source signals — avoid providing confidential company identifiers or credentials. If you want higher assurance, run the skill in a sandboxed environment and review the complete budget_engine.py source before granting execution.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (enterprise budget intelligence) aligns with the included budget_engine.py and SKILL.md pipeline. However, there is a mismatch between tooling names: SKILL.md and MANIFEST refer to search engines named like 'web_search', 'tavily-search' and 'deep-research-pro' (MANIFEST lists 'web_search','tavily','deep-research-pro'), while tools_schema exposes RPC-like tool names (search_company_info, search_tender_info, search_job_info, search_news_pr, calculate_budget, generate_sales_advice). Confirm the runtime mapping between SKILL.md tool names and the declared tool schema.
Instruction Scope: okSKILL.md confines the agent to collecting public-company data (financials, tenders, jobs, news) and passing extracted numeric inputs to budget_engine.py for calculations. The instructions do not ask the agent to read local files, environment variables, or to transmit arbitrary data to unknown endpoints. The included budget_engine.py appears to only perform local numeric calculations and merging of estimates (no network I/O visible in provided code).
Install Mechanism: okNo install spec — instruction-only plus a bundled Python module. That is low-risk compared to remote downloads. The engine is executed locally (python3) which is consistent with the manifest's code_execution capability. Recommend verifying the full budget_engine.py file (truncated in manifest) to ensure there are no hidden network calls or subprocess execution in parts not shown.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. This is proportionate for a public-source research and local-calculation tool.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide privileges. The skill does include a local Python module but does not attempt to modify other skills or global configuration in the provided materials.