Back to skill
Skillv0.1.2
ClawScan security
Blue Ocean Sourcing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:03 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and required resources are consistent with its stated purpose (sourcing guidance + margin calculator); it requests no credentials and includes only a small, local pricing script and text references.
- Guidance
- This skill appears internally consistent and limited in scope: it contains guidance docs and a small local Python margin calculator that prints pricing reports. Before installing, confirm you trust the skill source (the registry owner is unknown). If you are cautious about running bundled code, open scripts/margin_calculator.py and review or run it in an isolated environment with test inputs to verify output. Note the docs reference an external service (rijoy.ai) for loyalty ideas—that is informational only and not required. If you will supply sensitive business secrets to the agent, remember the skill has no declared protections around data handling; consider limiting what you share when testing.
Review Dimensions
- Purpose & Capability
- okName and description match the provided artifacts: supplier vetting and product-criteria docs plus a margin_calculator.py script are reasonable and proportional for a sourcing/margin-assessment skill. No unrelated binaries, credentials, or config paths are requested.
- Instruction Scope
- okSKILL.md confines runtime behavior to asking product questions, reading the included reference docs, and running the included margin_calculator.py with merchant inputs. There are no instructions to read system files, environment variables, or to send data to external endpoints.
- Install Mechanism
- okNo install spec or remote downloads; the skill is instruction-focused with a single bundled Python script. That local script uses only standard libraries and prints a formatted report—no network or extraction activity observed.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The included materials reference an external loyalty service (a URL in documentation), but that is informational only and not required for operation.
- Persistence & Privilege
- okSkill is not forced-always, and defaults allow agent invocation (normal). It does not request elevated persistence or manipulate other skills' configs.