Back to skill
Skillv1.0.0
ClawScan security
Startup Critical Path Planning · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 10:05 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is instruction-only and its requested actions (asking for company context, producing a one-goal critical-path document, writing a local critical-path.md) align with its stated purpose and do not request unrelated credentials or installs.
- Guidance
- This skill appears coherent and low-risk: it asks for business context and writes a local critical-path.md document. Before using it, avoid pasting secrets or sensitive credentials into prompts (financial/account passwords, private keys, API tokens). Review the generated critical-path.md before acting on it, and be aware the agent will write to your working directory. If you prefer not to have files written, ask the agent to present the plan inline instead of saving it to disk.
Review Dimensions
- Purpose & Capability
- okThe name and description (help founders set a single traction goal and define milestones) match the SKILL.md's inputs and outputs. No unrelated binaries, environment variables, or external services are required.
- Instruction Scope
- noteInstructions are focused on eliciting company context, enumerating and filtering milestones, ordering dependencies, and writing the resulting critical-path.md. The skill explicitly directs the agent to write a file and to 'Use TodoWrite' as a workflow tool; this is consistent with producing a document but does give the agent permission to read/write in the plain-text working directory. There are no instructions to read unrelated system files or exfiltrate data.
- Install Mechanism
- okNo install spec or code files are present. This is the lowest-risk form: no downloads, no packages, nothing is written to disk except the expected output document produced at runtime.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. It asks for business context from the user (metrics, runway, candidate items) which is appropriate for the task.
- Persistence & Privilege
- okalways is false and the skill does not request persistent privileges or modify other skills or system-wide agent settings. Its runtime behavior is limited to reading user-provided context and writing the critical-path.md document.