Back to skill
Skillv1.1.0
ClawScan security
creator-program · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 4:38 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This instruction-only skill is internally consistent with its stated purpose (planning and running creator programs) and does not request extra permissions, installs, or credentials.
- Guidance
- This skill appears coherent and low-risk: it's an instruction-only guide for creator programs and asks no credentials or installs. Before installing, you may (1) open SKILL.md yourself to confirm it contains only guidance you expect, (2) ensure any project-context files (.claude/project-context.md or .cursor/project-context.md) do not contain sensitive secrets you wouldn't want the agent to read, and (3) remember that the agent can call the skill autonomously by default (normal behavior). If you want extra caution, disable autonomous invocation or review the agent's permissions/usage policy before enabling the skill.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: the skill provides guidance, templates, timelines, and KPIs for creator programs and does not require unrelated resources or credentials.
- Instruction Scope
- okRuntime instructions are prose-only and stay on-topic. They suggest reading .claude/project-context.md or .cursor/project-context.md for product context (reasonable for tailoring recommendations) and do not instruct the agent to access unrelated system locations, credentials, or external endpoints.
- Install Mechanism
- okNo install spec and no code files—this is instruction-only, so nothing will be downloaded or written to disk by an installer.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths; there are no disproportionate secret requests.
- Persistence & Privilege
- okalways is false (no forced inclusion). The skill can be invoked autonomously by the agent (the platform default) but it does not request elevated or persistent privileges.