Back to skill
Skillv1.0.0
ClawScan security
Promo Calendar Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 10:47 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only planner for scheduling promos; its requirements and runtime instructions are consistent with that purpose and it does not request extra credentials, installs, or unexpected system access.
- Guidance
- This is an instruction-only scheduling assistant and appears internally consistent. Before installing or using it: (1) confirm you will provide campaign constraints interactively (it does not fetch data itself), (2) do not paste sensitive credentials or direct inventory database exports into the tool unless you trust the environment, (3) note the CC BY-NC-SA license — commercial use may require a separate license from Razestar, and (4) validate the generated plan with your ops team before enacting any promotions.
Review Dimensions
- Purpose & Capability
- okName, description, and SKILL.md all describe promo scheduling and the expected inputs (campaign goals, inventory, creator slots). The skill does not request unrelated credentials, binaries, or config paths.
- Instruction Scope
- okRuntime instructions are limited to collecting promo constraints, mapping intents to channels/times, detecting conflicts, and producing a 7-day plan. There are no commands, file reads, or external endpoints referenced in SKILL.md; the agent must ask the user for required data.
- Install Mechanism
- okNo install spec and no code files — instruction-only — so nothing will be written to disk or downloaded during installation.
- Credentials
- okNo required environment variables, credentials, or config paths are declared; the skill does not ask for unrelated secrets or broad system access.
- Persistence & Privilege
- okalways is false and there is no request for persistent system presence or modification of other skills. Model invocation is enabled (platform default) but that is expected and not concerning here because the skill has no external access or credentials.