Skillv1.0.1

ClawScan security

Painpoint Discovery Expert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 5, 2026, 6:50 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are consistent with a web-research-focused painpoint discovery assistant — nothing it asks for or tells the agent to do is disproportionate to that purpose.
Guidance: This skill appears to do what it says: web-search and scrape public content to build painpoint reports. Before enabling or running it, consider: 1) Browser scraping: it will access public pages and may capture user comments that contain personal data — review and redact PII before sharing externally. 2) Terms of service: automated scraping of sites like Reddit/Quora may violate their terms; prefer using official APIs or rate-limited, polite scraping. 3) Subagent runs: deep-research spawns longer subagents that can run for many minutes and save report files — ensure you’re comfortable with that autonomy and any platform quotas. 4) Health/legal content: when exploring health or regulated domains, add disclaimers and avoid providing medical advice. 5) Validation: outputs are research-driven but not validated; follow up with interviews or experiments before making product decisions. If any of the above are unacceptable, restrict the skill to quick mode only or require user approval before spawning subagents or scraping specific domains.

Purpose & Capability: okName/description, declared browser tool requirement, and instructions (web searches, forum scraping, report generation) align with a web-research painpoint discovery workflow. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteInstructions direct the agent to run searches, open result pages, snapshot content, extract quotes and cluster complaints — all expected for this purpose. Note: the skill explicitly recommends scraping social media/forums (Reddit/Quora) and quoting source comments; that may collect public PII and could raise site terms-of-service or privacy concerns. Also deep-research mode spawns longer sessions and will save report files.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk (nothing is downloaded or written by an installer).
Credentials: okRequires no environment variables, credentials, or config paths. The lack of secret requests is proportionate to the claimed functionality.
Persistence & Privilege: notealways:false and default autonomous invocation is used. The skill documents spawning of a subagent for deep research (sessions_spawn) that can run longer and produce files; this is consistent with its purpose but means a deeper-running, semi-autonomous task will execute if the user requests it — consider platform limits and oversight for long-running subagents.