Back to skill
Skillv1.0.0
ClawScan security
analytics-engineer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 11:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only analytics-engineer guide (dbt/SQL/architecture examples) and its requirements and instructions are consistent with that purpose.
- Guidance
- This is a documentation/authoring skill that generates dbt projects, SQL, macros and runbooks — it does not install software or request secrets. Before using generated SQL or dbt configs in a real environment, review them carefully and run them against development/staging environments first. Running dbt or connecting to a warehouse will require separate credentials you should manage securely; the skill will not provide or request those. If you allow autonomous agent actions that execute queries or deploy configs, restrict what credentials the agent can reach and test in a safe environment.
Review Dimensions
- Purpose & Capability
- okName and description match the provided content: dbt project structure, SQL examples, macros, testing, BI integration and governance. The skill does not request unrelated binaries, environment variables, or config paths.
- Instruction Scope
- okSKILL.md contains guidance, patterns, and an explicit output format (project structures, tests, runbooks). It references included code examples for implementation. It does not instruct the agent to read local files, access system credentials, or transmit data to external endpoints beyond normal guidance.
- Install Mechanism
- okNo install spec and no code files that would be written or executed on disk. This instruction-only format is low risk and consistent with the stated purpose.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. This is proportional for an advisory/authoring skill that produces dbt/SQL guidance. Note: to actually run dbt or connect to warehouses, users will need to supply appropriate credentials in their environment — but the skill itself does not request them.
- Persistence & Privilege
- okalways is false and there is no install behavior that would modify agent/system configuration or other skills. Autonomous invocation is allowed by default but not combined with other risky indicators.