v1.3.0

GHIN Golf Tracker

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:56 AM.

Analysis

Prompt-injection indicators were detected in the submitted artifacts (base64-block); human review is required before treating this skill as clean.

GuidanceThe skill appears safe for its intended use: analyzing a local GHIN JSON file. Before installing, confirm you are comfortable running the included Python script on your local data, and be careful with the separate README guidance about browser automation because that process—not this analyzer—may involve GHIN credentials. ClawScan detected prompt-injection indicators (base64-block), so this skill requires review even though the model response was benign.

Findings (1)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

README.md

Any automated data collection method will require transmitting your GHIN credentials to external services. This skill itself never handles credentials or performs network requests.

The skill itself is framed as local analysis only, but its documentation points users toward separate browser automation for collecting GHIN data, which may involve account credentials.

User impactIf you follow the optional data-collection guidance, you could expose GHIN login credentials to a separate automation tool or service.

RecommendationUse this skill only with a JSON file you already have. If collecting data separately, prefer manual export when possible and only provide GHIN credentials to tools you trust.