Skillv1.0.1

ClawScan security

管理咨询方法工具箱 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 16, 2026, 6:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only consulting-methods toolkit whose requested files and instructions are coherent with its stated purpose and it does not ask for external credentials, installs, or network endpoints.
Guidance: This skill is a local, instruction-only toolkit for management-consulting templates and appears coherent. Before installing or using it: 1) Know that the agent will read the included reference files — avoid submitting sensitive proprietary data into prompts unless you intend the model to process it. 2) The SKILL.md suggests using the 'rg' command but doesn't require it; the agent should not fail if 'rg' is absent. 3) SKILL.md references a file 'source-extracted.txt' that is not present in the manifest — expect the agent to report missing references or request that content. 4) Because this skill can be invoked autonomously by the agent (normal default), treat any automated uses that feed business-sensitive inputs with caution. Overall the skill is internally consistent and low-risk, but validate missing references and ensure you control any business data you pass to it.

Review Dimensions

Purpose & Capability: okThe skill name and description (management consulting methods and templates) match the provided content: a library of method documents and routing rules. There are no unrelated environment variables, binaries, or external services required.
Instruction Scope: noteSKILL.md instructs the agent to choose a scenario and read specific module files from the included references/methods folder and produce structured outputs — this stays within the declared purpose. Two small issues to note: (1) a retrieval suggestion mentions using the 'rg' command (ripgrep) even though no required binaries are declared — this is a convenience suggestion but could fail if 'rg' isn't present. (2) SKILL.md references a 'source-extracted.txt' under '来源与检索' but that file is not present in the manifest; the agent should handle missing referenced files gracefully. The instructions do not request reading any system files, env vars, or sending data to external endpoints.
Install Mechanism: okThis is instruction-only with no install specification and no code files to execute or download. That minimizes persistence and supply-chain risk.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The content operates entirely on bundled documentation files, so no excessive secrets or permissions are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable (normal). The skill does not request to modify other skills or system-wide settings and has no install that would create persistent binaries or services.