Skillv1.1.0

ClawScan security

Size Guide Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 25, 2026, 3:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's descriptions, runtime instructions, and included reference files are coherent with a size-guide creation tool and it does not request unrelated credentials, installs, or system access.
Guidance: This skill appears coherent and low-risk: it only contains instructions and reference content for building size guides and doesn't request secrets or install code. Before using, avoid pasting private URLs, credentials, or private store API tokens into prompts unless you intend the agent to access those resources. If you need the skill to integrate directly with Shopify/WooCommerce, plan for a secure, minimal credential flow — the skill currently does not declare or manage platform tokens. Finally, review any generated size tables and conversion rules against manufacturer specs (and site terms if scraping) before publishing. If you want stronger guarantees, request a code-based implementation that you can review, or run the instructions manually rather than granting the agent autonomous access to customer data or live product pages.

Review Dimensions

Purpose & Capability: okName and description match the instructions and reference documents: the skill is an instruction-only guide for creating size charts, measurement instructions, conversions, and delivery formats. It does not declare any unrelated dependencies, environment variables, or platform access that would be inconsistent with its stated purpose.
Instruction Scope: noteSKILL.md asks the agent to gather product/category context and says that if the user provides a product URL or product data, the agent should extract sizing information from it directly. This is reasonable for the purpose but implies web data extraction when URLs are supplied — the instructions do not direct the agent to access local system files, secrets, or unrelated endpoints. Users should avoid providing private URLs or credentials unless they intend the agent to access them.
Install Mechanism: okNo install spec and no code files — instruction-only content is low-risk because nothing will be written to disk or auto-downloaded during install.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The scope of requested data (product/category info, optional product URL) is proportionate to building a size guide.
Persistence & Privilege: okalways:false and no modifications to other skills or system configuration. Model invocation is allowed (platform default) which is normal for an agent skill; this combination is not concerning given the skill's limited scope and lack of credential access.