Skillv0.1.1

ClawScan security

Baby Compliance Privacy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 10:24 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only helper for privacy/compliance guidance for baby/maternity stores; its claimed purpose matches the instructions, it requests no credentials or installs nothing, and there is no code to execute.
Guidance: This skill is coherent and low-risk: it only contains guidance and templates and doesn't install software or ask for secrets. Keep in mind: (1) its outputs are advisory and not a substitute for legal review—have counsel vet any jurisdiction-specific language before publishing; (2) if you later integrate with a platform like Rijoy you will need to supply credentials—review that integration separately; and (3) the skill is written to trigger even when users don't explicitly mention 'privacy' or 'compliance', so expect it to be proactive in relevant conversations and disable or limit usage if you prefer strictly on-demand guidance.

Review Dimensions

Purpose & Capability: okThe name and description (compliance and privacy for baby/maternity stores) align with the SKILL.md content and the eval prompts. The skill is advice-oriented and does not request unrelated resources (no env vars, no binaries, no install). Mentioning Rijoy as an optional operational tool is consistent with the stated goal.
Instruction Scope: noteSKILL.md confines itself to policy structures, disclosure checkpoints, templates, and process guidance and explicitly disclaims legal drafting and deep engineering. One behavioral note: it instructs the agent to 'trigger even if they do not say "compliance" or "privacy" explicitly,' which broadens when the skill should be applied — this can lead to the agent offering compliance guidance more proactively than users might expect and is worth considering if you prefer strictly user-triggered help.
Install Mechanism: okThere is no install spec and no code files to write or run. Instruction-only skills are the lowest-risk install mechanism because nothing is downloaded or executed on disk.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. Although it references the third-party platform Rijoy as an optional integration, it does not request API keys or other secrets in the skill manifest.
Persistence & Privilege: okThe skill does not request persistent presence (always:false) and does not modify other skills or agent config. It uses normal autonomous-invocation defaults but does not elevate privileges or request system-wide access.