Back to skill
Skillv1.0.0
ClawScan security
GRC-Agent | SOC 2 Quality Review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 20, 2026, 6:29 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only SOC 2 quality-review skill whose files, instructions, and required resources are consistent with its stated purpose and do not request unrelated credentials, installs, or system access.
- Guidance
- This skill is internally coherent and appears safe from a permissions/requirement standpoint, but keep in mind: - It is an analysis aid, not a legal or certification authority—verify final decisions with human experts. - The agent will process whatever report text you provide. Avoid sending unnecessary PII or sensitive production data unless you are comfortable with where and how the agent runs (platform/data handling policies). - Follow-up vendor requests and auditor credential checks suggested by the skill should be independently verified (e.g., check CPA licensing/peer-review records directly). - Because this is instruction-only, there is no code to inspect beyond the included docs; treat outputs as advisory and validate critical conclusions manually before acting.
Review Dimensions
- Purpose & Capability
- okName, description, and included reference materials all describe a SOC 2 report quality-review assistant. The skill declares no binaries, env vars, or config paths and does not attempt to access unrelated systems—requirements are proportional to the stated purpose.
- Instruction Scope
- okThe SKILL.md instructs the agent to score S1–S11, run S12+ diligence, produce a scorecard and follow-up requests, and to consult the shipped reference docs. It does not instruct reading arbitrary system files, contacting external endpoints, or accessing credentials. It does instruct creating vendor-facing request text, which is appropriate for the purpose.
- Install Mechanism
- okNo install spec or code is present; this is instruction-only. No downloads, package installs, or extracted artifacts are required, which minimizes on-disk execution risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The instructions refer only to bundled reference docs and user-provided reports/evidence — appropriate for a document-review assistant.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills or system settings, and has the normal default autonomous-invocation setting. Its level of persistence and privilege is appropriate for an on-demand review helper.