Skillv1.0.0

ClawScan security

Inventory Demand Planning · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 25, 2026, 11:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only domain knowledge pack for inventory demand planning and its requested footprint (no env vars, no installs, minimal code) matches the stated purpose.
Guidance: This skill is a self-contained knowledge pack (no installers, no credentials requested) and appears coherent with its purpose. Before installing, confirm the publisher/source (the homepage is a GitHub repo) and inspect the small code file (evals/run_evals.py) for any network calls or unexpected behavior. Do not grant agent credentials to your ERP/WMS/POS systems unless you intentionally want the agent to act on them — if you do, use least-privilege accounts, monitor activity, and test in a sandbox. Remember the skill provides domain advice (formulas, method selection) but is not a substitute for access-controlled integrations or a human sign-off on production inventory actions.

Review Dimensions

Purpose & Capability: okThe name/description (demand forecasting, safety stock, replenishment, promo lift) matches the SKILL.md content and the included evaluation/rubric material. It mentions common vendor products (Blue Yonder, SAP, etc.) as context but does not require credentials or extra access to deliver its guidance — this is consistent for a knowledge skill.
Instruction Scope: noteSKILL.md is a large, prescriptive guidance document (forecasting methods, metrics, formulas, policy templates). It does not instruct the agent to read system files, access environment variables, or send data to external endpoints. Note: the document references external systems and vendor portals as part of context; if you later grant the agent live system credentials, that expands its scope — but as published the instructions remain within the stated domain.
Install Mechanism: okNo install spec is present (instruction-only) and no binaries or downloads are required. This minimizes persistence and disk-write risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The set of files included are evaluation artifacts and references; nothing requests secrets or unrelated service access.
Persistence & Privilege: okFlags show always:false and default autonomous invocation allowed. The skill does not request permanent presence or modify other skills. Autonomous invocation is normal for skills; this skill does not combine that with broad credential access.