Back to skill
Skillv1.0.0
ClawScan security
generate-fractional-cfo-firm-client-education-handout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 7:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only template for producing a client-facing handout; its declared requirements and instructions are proportionate and consistent with that purpose.
- Guidance
- This skill is instruction-only and appears coherent for creating a client handout. Before installing or enabling it for real client work: 1) Confirm which SkillBoss capabilities (especially image_generation) the agent will call and whether those providers handle your client data appropriately. 2) Review any generated visuals and text before sharing externally (the SKILL.md explicitly advises review). 3) If you rely on client financial data, ensure the agent and any downstream services meet your privacy/compliance requirements. If the publisher later adds environment variables, download/install steps, or explicit external endpoints, re-evaluate — those would raise the risk profile.
Review Dimensions
- Purpose & Capability
- okName and description (generate a CFO firm handout with visuals/FAQs) align with the actual contents: an instruction-only SKILL.md that references chat and image_generation. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- noteThe runtime instructions are limited and appropriate (clarify audience, produce draft, refine). One vague item — “Use the relevant SkillBoss capabilities to enrich assets or supporting data” — gives the agent broad discretion to call other capabilities; recommend reviewing which capabilities will be invoked at runtime and ensuring they are appropriate for client data.
- Install Mechanism
- okNo install spec and no code files (instruction-only). This minimizes disk/writing risk; nothing is downloaded or installed.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill does not ask for secrets or extraneous service tokens.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It may be invoked autonomously by the agent (platform default), but there are no additional privileged persistence or cross-skill config changes requested.