Skillv1.0.0

ClawScan security

Customs Trade Compliance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 11:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are coherent with a customs & trade compliance assistant and do not request unrelated credentials or installs.
Guidance: This skill appears internally consistent and is instruction-only (no installers, no requested credentials). Before installing or using it: (1) Verify the publisher/repository (homepage is provided) to ensure the source and maintenance status meet your organizational policies; (2) avoid pasting secrets or system credentials into prompts — provide only shipment-specific data (descriptions, quantities, HS-candidates, values) necessary for advice; (3) review the small code file (evals/run_evals.py) and templates locally if you plan to host or extend the skill to ensure there are no hidden network calls or telemetry you don't expect; (4) treat the skill's output as expert guidance, not legal advice — confirm critical classifications, FTAs, and penalty exposure with a licensed customs broker or legal counsel before filing declarations.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md content, and included evaluation material all focus on customs, tariff classification, Incoterms, valuation, restricted-party screening and related documentation. There are no unrelated required binaries, environment variables, or config paths; the manifest (docs, rubrics, evaluation results) is proportional to a compliance knowledge/assistant skill.
Instruction Scope: noteSKILL.md instructs the agent to act as a senior trade compliance specialist and references systems commonly used in the domain (ACE, CHIEF/CDS, ATLAS, broker portals). The instructions do not tell the agent to read system files, environment variables, or to transmit data to unexpected external endpoints. Note: because the skill expects operational trade details, in normal use the agent will ask for shipment-specific data (HS codes, IOR numbers, commercial invoices) which can be sensitive—that is expected for the skill's purpose but users should avoid pasting unrelated secrets.
Install Mechanism: okThis is an instruction-only skill with no install spec. No packages are downloaded or written to disk, minimizing install-time risk.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config-path access. The lack of requested secrets is proportional to an instruction-only compliance guidance capability.
Persistence & Privilege: okFlags show always=false and normal model invocation allowed. The skill does not request permanent presence or elevated privileges and there is no install step that modifies other skills or system-wide settings.