Back to skill
Skillv1.0.0
ClawScan security
Shipping Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 3:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only shipping cost analysis helper that asks you to supply SKU, volume, and origin data and does not request credentials, install software, or perform external network access from its instructions.
- Guidance
- This is an instruction-only tool that asks you to paste your SKU dimensions, monthly volumes, origins, and (optionally) your current shipping costs so it can estimate per-unit landed costs across carriers and fulfillment options. It does not fetch carrier quotes or access your carrier accounts — do not share carrier login credentials or private dashboards. Because outputs are estimates based on published rate rules and the numbers you provide, validate any recommended changes with real carrier quotes and your contract terms before switching providers. If you are uncomfortable sharing detailed volume or cost data, consider anonymizing or aggregating inputs (e.g., ranges or percentage splits) before using the skill.
Review Dimensions
- Purpose & Capability
- okThe name/description (shipping cost and fulfillment model comparisons) matches the SKILL.md content. There are no unexpected requirements (no cloud credentials, no carrier API tokens) and the skill explicitly states it relies on user-provided data rather than pulling account information.
- Instruction Scope
- noteInstructions are limited to collecting user-provided catalog, origin, and delivery-window inputs and producing a comparative report. Note: the skill asks for commercially sensitive data (volumes, negotiated costs) which is expected for the task — the user should avoid sharing carrier account credentials or private dashboards because the skill does not declare any need for them.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes risk because nothing is written to disk or fetched during install.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The absence of declared credentials is consistent with the SKILL.md statement that it cannot access carrier dashboards and uses user-supplied numbers.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent/system-level presence or any modifications to other skills or agent config. Autonomous model invocation is allowed by default but not combined with other privilege concerns here.