Skillv1.0.0

ClawScan security

SAP FICO Expert - Australia · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 17, 2026, 9:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only SAP FI/CO consultant for Australian requirements and its files, scope, and resource requests are coherent with that purpose.
Guidance: This skill appears coherent and contains focused SAP FI/CO guidance for Australia. It does not request credentials or install code, so the immediate security footprint is small. Before relying on any procedural or remediation steps in production: 1) verify OSS note numbers and KBA references directly in SAP OSS / SAP Help Portal (the skill includes some explicit note numbers despite its internal guardrail against inventing them); 2) confirm bank file formats/BSB examples with the target bank and your bank integration team; 3) treat ABAP snippets (if provided) as examples — review and test in a sandbox before deploying; 4) be aware the skill is auto-activated on SAP keywords, so it may be suggested frequently. If you want extra caution, only enable user-invocation or disable automatic activation.

Review Dimensions

Purpose & Capability: okName, description, and all included files (SKILL.md, system_prompt.md, examples, Australian banking/tax docs) consistently implement an Australian SAP FI/CO consulting assistant. There are no unrelated binaries, environment variables, or config paths requested that would be disproportionate to the stated purpose.
Instruction Scope: noteRuntime instructions and a strict mandatory response format are narrowly scoped to SAP FI/CO tasks. One inconsistency to note: the system prompt's 'never_invent' guardrail forbids inventing OSS note numbers/KBA numbers, yet the examples and SKILL.md include explicit OSS note numbers and some Fiori app names. This is a content-consistency issue (could cause confusion about whether listed note numbers are authoritative) rather than a direct security risk. Verify any OSS note numbers or KBAs the assistant cites against SAP OSS/Help Portal before acting on them.
Install Mechanism: okNo install spec and no code files — instruction-only skill. Nothing is downloaded or written to disk by the skill itself, which minimizes install-time risk.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. There is no disproportionate access requested relative to the skill's functionality.
Persistence & Privilege: noteThe skill is enabled and configured for automatic activation based on many SAP-related keywords (activation.mode = 'auto') and is user-invocable. This is consistent with an assistant plugin of this type, but it means the skill may be suggested or invoked when SAP-related context appears. It does not use 'always: true' and does not request extra system privileges.