Back to skill
Skillv1.0.2
ClawScan security
Privacy Tech Advisor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:11 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with its stated purpose (an API-backed privacy tech advisor), but it will send potentially sensitive organizational data to a third-party API — review the endpoint, billing, and data-handling before enabling.
- Guidance
- Before installing, consider that every successful run sends organization-specific information (org name, assessor name, data volumes, compliance needs, revenue ranges, etc.) to https://portal.toolweb.in. Verify you trust the vendor, read their privacy/data-retention and billing docs, and confirm TLS and API key handling. If data is sensitive, test with anonymized or synthetic inputs or a sandbox API key first. Monitor API usage/billing and consider network egress controls or allowlisting if your org restricts outbound calls. If you need offline recommendations or cannot share certain fields, this skill cannot operate without calling the remote API (the SKILL.md forbids local answers).
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the SKILL.md requires a TOOLWEB_API_KEY and curl and instructs the agent to call ToolWeb's API for privacy assessments and recommendations. These requirements are proportional to an API-backed advisory service.
- Instruction Scope
- noteInstructions explicitly require ALWAYS calling the external API and forbids answering from local knowledge. The data payload includes organization_name, assessor_name, size, revenue, data volume, compliance requirements, and other potentially sensitive details — this is coherent with the service but increases data-exposure risk. No instructions ask the agent to read unrelated files or env vars.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files. No binaries are installed; the only runtime dependency is curl. Low install risk.
- Credentials
- okOnly a single env var (TOOLWEB_API_KEY) is required and declared as the primary credential. That is appropriate for an API-based service; no unrelated credentials or config paths are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills. The agent may invoke the skill autonomously (platform default), which is expected for skills of this type.