GHIN Golf Tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.
This skill looks safe for offline analysis of an already-exported GHIN JSON file. Only provide the specific file you want analyzed, and treat the README’s optional browser-automation data collection as a separate, higher-trust decision because it may involve GHIN credentials. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user follows the optional data-collection guidance, their GHIN credentials and account data may be exposed to external automation tools, even though this analyzer does not handle them.
The README clearly separates optional data collection from this skill, but it still points users toward credentialed browser automation outside the reviewed code.
Browser Automation (Privacy Risk): Use tools like browser-use, Selenium, or Playwright to scrape data ... Any automated data collection method will require transmitting your GHIN credentials to external services. This skill itself never handles credentials or performs network requests.
Prefer manual export or a trusted local collection method, and do not give GHIN credentials to browser automation unless you understand and approve that separate workflow.