Skillv0.1.2

ClawScan security

Necessity Pain Point Selection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 2:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements align with its stated purpose (mining customer reviews for pain points); nothing requests unrelated credentials, network installs, or elevated privileges.
Guidance: This skill appears internally consistent and low-risk, but consider these practical points before using: 1) Legal/compliance: ensure you have the right to collect or reuse competitor reviews and follow platform scraping rules (SKILL.md already advises compliance). 2) Data privacy: review data may contain PII—de-identify or handle per policy before processing. 3) Accuracy: the provided pain_point_extractor.py is a simple keyword/rule classifier and will produce false positives/negatives; always manually review suggested labels and examples before acting. 4) Execution: the script runs locally with Python and reads CSV/TXT or stdin—inspect the file and run in a safe environment. 5) If you plan to integrate this into automation with network connectivity, audit any added code or dependencies for external endpoints or credential use.

Purpose & Capability: okName/description (VOC-driven pain-point extraction for utility products) matches included artifacts: SKILL.md describes review-driven selection and improvement and the repo contains a simple keyword-based pain_point_extractor.py for bulk processing. No unrelated binaries or credentials are requested.
Instruction Scope: okSKILL.md focuses on collecting contextual facts from the user, processing reviews into pain labels, and producing actionable output. It explicitly limits scope (not for marketing copy or unrelated categories) and references compliant review collection. Instructions do not ask the agent to read system files, secrets, or contact unknown endpoints.
Install Mechanism: okNo install spec is provided (instruction-only skill); the included Python script is self-contained and will run locally if invoked. There are no remote downloads, package installs, or archive extracts that would write arbitrary code to disk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The script only reads local input files or stdin and outputs JSON/table results; it does not access network services or other systems.
Persistence & Privilege: okalways is false and model invocation is not disabled (normal). The skill does not request permanent presence or modify other skills or global agent settings.