Back to skill
Skillv1.0.0
ClawScan security
Creator Campaign Scorecard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 4:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only readiness checklist/scorecard for creator campaigns that is internally consistent with its description and requests no credentials or installs.
- Guidance
- This skill is an instruction-only checklist for scoring campaign readiness and appears coherent and low-risk: it asks for campaign details (goals, offer, creator fit, tracking design, budget) but does not request credentials or install code. Before using it, avoid pasting any secrets (API keys, account passwords, or raw tracking tokens). Remember it is not a substitute for legal or financial advice — do not use it for compliance/legal review. If you are concerned about autonomous agent actions, keep the skill user-invocable only (monitor outputs before acting) or restrict agent ability to take external actions.
Review Dimensions
- Purpose & Capability
- okThe name and description (pre-launch creator campaign readiness scoring) match the SKILL.md workflow and scoring dimensions. All requested inputs (goals, offer, creator fit, tracking, budget, etc.) are appropriate and proportional to the stated purpose.
- Instruction Scope
- okThe runtime instructions are narrowly focused on restating the campaign, scoring defined dimensions, identifying blockers/gaps, and recommending launch actions. They do not instruct the agent to read system files, access environment variables, or send data to external endpoints.
- Install Mechanism
- okNo install spec and no code files are included (instruction-only). This minimizes supply-chain and disk-write risk; nothing will be downloaded or executed by an installer as part of this skill.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The inputs it asks for are campaign details (budget, tracking setup, etc.) which are reasonable for a review. Be mindful not to paste secrets (API keys, account passwords) into prompts — the skill does not require them.
- Persistence & Privilege
- okalways:false and no persistent install mean the skill does not demand permanent presence. disable-model-invocation is false (agent may invoke autonomously), which is the platform default and not concerning here given the narrow, non-privileged scope.