Skillv1.1.0

ClawScan security

Bundle Strategy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 20, 2026, 2:21 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only bundle-strategy playbook whose requirements and instructions are coherent with its stated purpose and do not request unexplained system access or credentials.
Guidance: This skill is an instruction-only playbook and appears internally consistent, but consider the following before using: (1) it expects you to provide or allow access to order-level transaction data, SKU landed cost, inventory levels, and sales volumes — treat those as business-sensitive and avoid exposing unnecessary PII or full DB credentials; (2) prefer supplying sampled or synthetic data when testing the workflow, or grant read-only, scoped access if automating data extraction; (3) because the skill source is 'unknown' and there is no homepage, verify the content meets your internal processes and compliance needs before sharing live customer data; (4) validate any automated steps you build from this guidance (scripts, queries) in a sandbox to ensure they don't inadvertently modify systems or export data externally; (5) if you plan to have an agent fetch data automatically, implement least-privilege credentials, logging, and monitoring so you can revoke access if needed.

Purpose & Capability: okName and description (design product bundles from transaction and cost data) match the SKILL.md content and included references; no unrelated binaries, env vars, or install steps are requested.
Instruction Scope: noteThe runtime instructions assume access to order-level transaction data, SKU cost/pricing, and inventory figures (appropriate for this task). This is expected, but it means anyone executing the guidance will need to supply or grant access to potentially sensitive business/customer data — the SKILL.md does not prescribe how to obtain that data or limit scope/PII.
Install Mechanism: okNo install spec or code files; instruction-only approach minimizes on-disk risk and there is no third-party download or package installation.
Credentials: okThe skill declares no environment variables, credentials, or config paths; the data it needs (transactions, costs) is proportional to the stated purpose.
Persistence & Privilege: okalways:false and no install actions; the skill does not request permanent presence or modifications to other skills or system-wide settings.