Skillv1.0.0

ClawScan security

Industry Research Report Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 27, 2026, 4:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are coherent with its stated purpose of producing industry research reports; it is instruction-only, asks only for web searches and PDF conversion, and does not request unrelated credentials or installs.
Guidance: This skill appears coherent and limited to public web research and PDF generation. Before installing or invoking it: (1) confirm your agent environment provides the 'search_web' and 'office/pdf' tools the instructions reference — otherwise the skill may fail; (2) avoid pasting sensitive or private documents into prompts, since the skill will pull in external web searches and cite URLs; (3) review the cited sources in generated reports (the skill requires URLs for every datapoint — verify they are reliable and not paywalled or misattributed); (4) if you need proprietary data incorporated, use explicit secure connectors rather than copying secrets into the chat. Overall this skill is internally consistent with its stated purpose.

Purpose & Capability: okThe name and description (industry research / investment due diligence) match the runtime instructions: collect web data, synthesize PEST/Porter/value-chain/TAM-SAM-SOM analyses, and produce a PDF. No unrelated binaries, env vars, or credentials are requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to use platform tools 'search_web' for data collection and 'office/pdf' for PDF generation and requires citing URLs for every datapoint. This is appropriate for the purpose, but it relies on those platform tools being available at runtime. The instructions do not ask to access local files, system credentials, or unrelated environment variables.
Install Mechanism: okThere is no install spec and no code files—this is instruction-only, which minimizes on-disk risk. No downloads or external install actions are specified.
Credentials: okThe skill requests no environment variables, secrets, or config paths. Data collection is limited to web searches and public sources as required by the report; requested access appears proportional to the stated function.
Persistence & Privilege: okThe skill is not forced-always (always:false) and does not request elevated persistence or modification of other skills. It can be invoked autonomously per platform default, which is expected for a useful skill of this type.