Skillv1.0.0

ClawScan security

Report Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 5:46 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements match its stated purpose (generating HTML reports from local CSV/XLSX/JSON data); nothing in the package requests unrelated credentials or external endpoints and the script confines file access to the current working directory.
Guidance: This package appears coherent and limited to generating local HTML reports. Before installing/using it: (1) inspect the scripts/generate_report.py file yourself (it's included and small); (2) run it in an isolated working directory—the script allows reading any file inside the current working directory, so avoid running it where sensitive files live; (3) ensure Python, pandas, and matplotlib are available in your environment (the skill doesn't install them); (4) test with sample data first to confirm outputs; and (5) if you need remote or automated execution, consider adding an explicit install step and dependency management (virtualenv/requirements) and review for any modifications.

Purpose & Capability: okName/description (report generation) align with the included assets: SKILL.md, templates, chart guidelines, and a Python script that reads local data and emits an HTML report with charts and KPIs. No unrelated capabilities or credentials are requested.
Instruction Scope: okSKILL.md stays within the scope of report generation and explicitly points to the included script and reference templates. The runtime instructions and script only reference input data files and local output; they do not instruct reading unrelated system state or exfiltrating data.
Install Mechanism: noteThere is no install spec (instruction-only plus a helper script). The provided Python script requires pandas and matplotlib to run, but the skill does not declare or install these dependencies—users must ensure the runtime environment has them. Lack of an install step is low risk but may cause runtime failures if dependencies are missing.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The behavior is proportional: it operates on user-supplied files and writes output locally. There are no requests for unrelated secrets or external service access.
Persistence & Privilege: okThe skill is not forced always-on and does not modify other skills or system-wide configurations. It runs only when invoked and does not ask to persist credentials or enable autonomous always-running behavior.