Back to skill
Skillv0.1.0
ClawScan security
Renting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 4:45 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a lightweight, instruction-only rental-guidance skill whose declared purpose matches its minimal requirements and contains no hidden installs or credential requests.
- Guidance
- This skill appears coherent and low-risk: it is just a set of guidelines for rental searches and does not request credentials or install software. Before using, be cautious if the skill (or the agent using it) asks you to provide API keys, login credentials, or upload personal documents — ask which third-party services will be contacted and why. Prefer testing with non-sensitive queries first, and avoid sharing personally-identifying information or account passwords. If you need stronger assurance, ask the skill author for a homepage or implementation details listing any external services the skill will call.
Review Dimensions
- Purpose & Capability
- okThe name/description (rental listings, comparisons, guides) align with the SKILL.md content (filters, return fields, example queries). There are no unexpected binaries, env vars, or config paths requested that would be unrelated to providing rental guidance.
- Instruction Scope
- noteThe SKILL.md is high-level and stays within the stated purpose, but it is somewhat vague: it mentions 'third-party interfaces' and 'content updates' without naming services or endpoints. That vagueness gives the agent wide discretion to call external APIs or ask users for credentials when implemented, which is not inherently malicious but worth noting.
- Install Mechanism
- okNo install spec and no code files — this is instruction-only, so nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteThe skill declares no required environment variables or credentials, which is proportional. However, because the instructions reference possible third-party interfaces, implementations or follow-up prompts could request API keys or account access; the SKILL.md does not justify or enumerate such needs.
- Persistence & Privilege
- okalways is false and the skill does not request elevated persistence. Model invocation is allowed (the platform default), which is expected for an interactive skill of this type.