Back to skill
Skillv0.1.0
ClawScan security
bilanz · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 10:24 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested capabilities are internally consistent: it runs a small local shell script that prints static Austrian Bilanz templates and requires no credentials or external network access.
- Guidance
- This skill appears coherent and low-risk: it only runs a small local shell script that prints static Bilanz templates and a status message. Before installing, confirm you trust the publisher (no homepage was provided in the registry metadata) and note that the skill requires exec permission to run the included script — inspect scripts/bilanz-check.sh if you want to verify behavior locally. If you plan to feed it real financial data, remember the script currently only prints static zeroed templates and does not perform validations or persist data.
Review Dimensions
- Purpose & Capability
- okName/description (Austrian Bilanz generator) matches the included assets: SKILL.md documents --aktiva/--passiva and the script scripts/bilanz-check.sh implements those flags and prints the expected reports.
- Instruction Scope
- okSKILL.md instructs the agent to run the bundled script with specific flags; the instructions do not ask the agent to read unrelated files, access environment variables, or transmit data to external endpoints.
- Install Mechanism
- okNo install spec is present (instruction-only plus a packaged script). Nothing is downloaded or extracted from untrusted URLs and the skill will only execute the provided local script.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths; the script also does not read any env vars or secrets.
- Persistence & Privilege
- okalways is false and the skill does not modify agent configuration or request persistent system-wide privileges. claw.json lists exec permission which is appropriate for running the bundled shell script.