Skillv3.0.1

ClawScan security

辩证分析 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 6:09 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, prompts, and runtime behavior are consistent with its stated purpose (multi-agent dialectical business analysis); it optionally uses external search APIs for knowledge enhancement — a deliberate feature that transmits the user's query to third‑party search services when enabled.
Guidance: This skill appears coherent with its purpose. Before installing or invoking it, consider: (1) Knowledge enhancement will send your topic, background, and constraints to external search services (Tavily, Brave, or DuckDuckGo HTML) if you enable it — do not enable search for sensitive or confidential topics unless you trust the external service and its privacy policy. (2) If you prefer not to send data externally, run with enable_search=false (the skill still functions without search). (3) Ensure your environment has the Python 'requests' package if you plan to use Tavily/Brave APIs. (4) The skill stores session files under its own workspace directory (inside the skill folder); review those files if you want to remove traces. (5) If you supply API keys, treat them as sensitive credentials and confirm the target API endpoints (e.g., tavily.com) before providing keys. Overall the skill is internally consistent; these notes are privacy and dependency cautions rather than indicators of malicious behavior.

Review Dimensions

Purpose & Capability: okName/description (dialectical business analysis) match the included code and prompts: orchestrator, pro/con/arbitrator agents, multi‑dimensional framework, and optional knowledge enhancement. Requested/used resources (Tavily/Brave/DDG search) align with the 'knowledge enhancement' feature.
Instruction Scope: noteSKILL.md and the runner are focused on debate orchestration and report generation. Important note: when enable_search is true, the skill sends user-provided topic/background/constraints as search queries to external search APIs (Tavily, Brave, or DuckDuckGo HTML). SKILL.md states search runs only when explicitly enabled, which matches the code.
Install Mechanism: okNo install spec — instruction-only skill with an included Python runner. No downloads or archive extraction. This is low risk from an install perspective. The package relies on standard Python usage; no installer behavior observed.
Credentials: noteThe skill optionally reads TAVILY_API_KEY and BRAVE_API_KEY from environment variables — proportionate to its optional search feature. Two implementation notes: (1) the code uses the 'requests' library when calling those APIs but 'requests' is not declared as a required dependency in SKILL.md; (2) enabling search will transmit the user's input to third‑party endpoints, so sensitive data may be exposed to those services.
Persistence & Privilege: okalways is false and the skill writes session state and artifacts only to a workspace directory under the skill folder. It does not request system‑wide config changes or other skills' credentials. No elevated persistence or privileges detected.