Back to skill
Skillv1.0.0
ClawScan security
Qsr Audit Readiness Countdown · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 7, 2026, 10:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only, milestone-driven audit-prep coach whose requirements and instructions are consistent with its stated purpose and do not request extra credentials or install code.
- Guidance
- This skill appears coherent and low-risk: it only contains instructions and asks the operator for audit-related information. Before installing, consider: (1) privacy — you will be asked to enter potentially sensitive operational data (previous findings, employee names/roles), so confirm you’re comfortable storing that in the agent memory; (2) provenance — the source/homepage is unknown, so if you require vendor support or updates prefer skills with an identified maintainer; (3) licensing — SKILL.md/README include non-standard redistribution terms (commercial redistribution requires permission); and (4) integration — if you plan to pair this with other skills that expose data externally, review how data flows between them. If any of the above is a concern, avoid storing PII in the skill or disable memory/persistence where possible.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: a 30-day audit countdown, checklists, prompts, and milestone reports. There are no unexpected binaries, credentials, or unrelated dependencies requested.
- Instruction Scope
- noteSKILL.md directs the agent to ask for audit type, window, checklist, responsible people, and prior findings and to store milestone records in memory. These actions are appropriate for audit prep but will collect operational and personnel data (e.g., names, previous findings). The instructions do not ask the agent to read system files, call external endpoints, or access unrelated environment variables.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes risk because nothing is written to disk or downloaded during install.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The data it asks for (audit checklist, previous findings, responsible people) is reasonable for the stated purpose.
- Persistence & Privilege
- notealways is false and autonomous invocation is allowed (the platform default). The SKILL.md expects the agent to persist milestone entries in memory; users should confirm whether they want those audit details retained in the agent memory store.