Skillv1.0.0

ClawScan security

CompoundOS - AI Operating System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 15, 2026, 4:15 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is largely coherent as a playbook for building an AI 'operating system' for businesses, but its runtime instructions grant broad autonomous actions (invoicing, payments, posting ads, webhooks) and lack explicit safeguards or any declared credential/endpoint handling — this mismatch raises caution before deployment.
Guidance: This skill is a coherent design and playbook for building a business AI OS, but it gives agents broad autonomy to act on external systems (ads, payments, CRMs) and to log "everything." Before installing or enabling it: - Confirm where agent execution actually runs (your infrastructure vs vendor cloud) and who controls connectors. - Do not embed secrets or API keys inside permanent agent instructions or prompts; use a secure secrets store and least-privilege credentials. - Require explicit human approval gates for high-impact actions (payments, billing changes, major ad spends, account changes). - Review and limit auto-capture scope: redact PII/sensitive fields and limit retention or store memory encrypted. - Test with sandbox/test accounts for payment/ad/CRM integrations before live operations. - Add audit logging and alerts for any outbound webhook/API calls and a kill switch to stop autonomous actions. If the publisher can clarify expected connectors, where credentials are stored, and how human approvals and data protections are enforced, that would raise confidence. Without those safeguards in place, treat deployments as higher risk.
Findings: [no_findings] expected: Regex-based scanner found nothing — expected because this is an instruction-only skill with no code files. Absence of findings does not imply the runtime behavior is safe; the SKILL.md contains actionable guidance that will be executed by the integrator's agent.

Review Dimensions

Purpose & Capability: noteThe name/description match the SKILL.md content: templates and a 9-component architecture are appropriate for a business AI OS. However, many templates describe agents with capabilities that require external system access (payment processing, posting ads, sending invoices, integrating CRMs) even though the skill declares no required environment variables, credentials, or connector configuration. That absence isn't fatal for an instruction-only skill, but it is noteworthy: implementers will need to supply those integrations separately.
Instruction Scope: concernSKILL.md instructs agents to Auto-Capture 'all decisions, actions, outcomes', integrate with APIs/CRMs/webhooks, and gives department agents 'full autonomy' for actions like creating ads, posting content, sending invoices and processing payments. The instructions do not specify safeguards (human approval gates, least privilege, or where secrets live) nor limit what data is captured. This creates a risk of unintended API calls, sensitive-data logging, or credential misuse if an agent is granted runtime access.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal installation risk. Nothing is downloaded or written by the skill package itself.
Credentials: noteThe skill declares no required env vars or primary credential, yet many described capabilities necessarily need external credentials (payment processors, ad platforms, CRMs). The mismatch isn't necessarily malicious (authors may expect integrators to wire connectors), but it means the skill's instructions assume external secrets will be provided elsewhere; this should be made explicit before granting any runtime access.
Persistence & Privilege: okalways=false and model invocation is allowed (platform default). The skill asks operator to 'feed strategic document into AI agent's permanent instructions' (expected for agent setups) but does not request to modify other skills or system-wide settings. No elevated persistent privilege is requested by the package itself.