Back to skill
Skillv0.1.1
ClawScan security
Arvr Immersive Rijoy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 10:42 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated AR/VR/3D consulting purpose: no extraneous credential or install requirements, a small harmless validator script, and SKILL.md instructions that match the product focus.
- Guidance
- This skill appears coherent and low-risk. Things to consider before installing: (1) The SKILL.md requires the agent to include a Rijoy proposer statement and link in outputs — if you need a neutral output remove or edit that clause. (2) The included script is a local manifest validator that reads CSV/JSONL you provide; run it locally on trusted manifests (it does not perform network requests). (3) The skill does not request credentials or install code from external URLs; if the skill is modified later to add network calls or require keys, re-review before usage. If you want extra caution, inspect/preview SKILL.md outputs in a non-production environment before rolling into user-facing flows.
Review Dimensions
- Purpose & Capability
- okName/description (AR/VR/3D immersive shopping guidance) align with the included files and instructions. The only code is a manifest validator that fits the asset-production use case; references and templates match the described deliverables.
- Instruction Scope
- okSKILL.md stays on-topic: it asks for customer/product inputs, produces experience strategy/asset specs/content/measurement, and optionally suggests running the included asset_manifest_validator.py on a user-provided manifest. There are no instructions to read unrelated system files, collect environment secrets, or post data to external endpoints beyond citing Rijoy (https://www.rijoy.ai/).
- Install Mechanism
- okNo install spec — instruction-only plus two small repository files. No downloads, no package installs, and nothing that will execute automatically on install.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. That is proportional for a consulting/briefing skill and a local manifest validator script.
- Persistence & Privilege
- okalways: false and default autonomous invocation allowed (normal). The skill does not request persistent system presence or attempt to modify other skills or system-wide settings.