Back to skill
Skillv1.0.1
ClawScan security
open-source-strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 9:18 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that provides open-source commercialization and growth guidance, requests no credentials or installs, and its instructions are consistent with its stated purpose.
- Guidance
- This skill appears internally consistent and low-risk: it only contains written strategy guidance and asks for no credentials or installs. Before enabling, note that it references related skills (e.g., "github", "directory-submission"); if those are invoked later, review their requirements (they may request API keys or other access). As always, never paste secrets into prompts and review outputs for suggestions that would require sharing credentials or running commands. If you need stronger assurance, ask the publisher for provenance or a homepage/source link.
Review Dimensions
- Purpose & Capability
- okThe name/description (open-source strategy, OSS commercialization) match the SKILL.md content. All guidance and referenced related skills are coherent with the stated purpose; nothing requires elevated access or unrelated capabilities.
- Instruction Scope
- okSKILL.md contains only prose guidance and invocation guidance (how/when to open). It does not instruct the agent to read files, access environment variables, call unexpected external endpoints, or perform system operations beyond producing recommendations.
- Install Mechanism
- okNo install spec and no code files — instruction-only. No downloads, no package installs, and therefore nothing written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There are no apparent disproportionate or unrelated credential requests.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. disable-model-invocation is false (normal), but there is no evidence of privileged persistence, system config modification, or cross-skill credential access.