Skillv1.0.0

ClawScan security

Cpa Firm Video · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 7, 2026, 3:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only marketing/video-generation skill whose declared purpose (produce CPA/firm videos) matches what it requests and installs: there are no installs, no environment variables, and no code — nothing obviously disproportionate to its stated function.
Guidance: This skill appears coherent and low-risk based on the visible SKILL.md: it’s an instruction-only tool for producing CPA marketing videos and requests no system access or credentials. Before installing, quickly verify the full SKILL.md (the preview was truncated) to ensure it does not: 1) ask users to paste or upload sensitive client tax/financial documents or personally identifiable data into prompts, 2) instruct the agent to post data to unknown external endpoints, or 3) request credentials later via hidden steps. Also note the skill’s source/homepage is unknown — if you prefer provenance, favor skills published by known authors or with a homepage and privacy/data-handling details. If you plan to use it with real client materials, avoid pasting raw tax returns/PII into prompts unless you have explicit consent and a secure environment.

Purpose & Capability: okName/description promise: AI video creation for CPA firms. Declared requirements: no binaries, no env vars, no install. These are proportionate: an instruction-only skill that provides prompts/templates for video production legitimately needs no cloud credentials or system access.
Instruction Scope: okThe provided SKILL.md content is copy and runtime instructions/prompts for creating marketing and informational videos. In the portion reviewed there are no commands, no references to reading system files, and no steps that request unrelated credentials or system access. (Note: the SKILL.md was truncated in the bundle preview — the visible content does not instruct collecting system credentials or scanning local files.)
Install Mechanism: okNo install specification and no code files are present. That is the lowest-risk pattern for a skill that is essentially a set of prompts/templates for video creation.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. This is proportional to a video-marketing instruction skill and avoids unnecessary access to secrets or cloud credentials.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request persistent system presence or elevated privileges. Autonomous invocation is allowed by default but is not combined with other red flags here.