Skillv0.1.1

ClawScan security

Tech Home Search Filter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 10:11 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only UX/content playbook for search and filters on technical-home stores; its requested footprint (no installs, no credentials, no system paths) matches its stated purpose.
Guidance: This skill is a documentation-focused playbook and appears internally consistent with its stated purpose. Before installing: (1) confirm you are comfortable with the agent autonomously invoking documentation-style skills (the skill can be called by the model), since the skill is set to allow model invocation; (2) if you plan to operationalize recommendations (e.g., integrate Rijoy or change search engine settings), ensure you only provide service credentials through secure channels and grant the minimum permissions; (3) watch for over-triggering — the skill instructs the agent to activate even when users don't explicitly mention 'search' or 'filter', which may surface the skill in broader contexts; and (4) validate implementation details (platform-specific config, SEO, and privacy implications) before applying changes to production.

Purpose & Capability: okThe name/description (search optimization and filter UX for technical-home products) match the SKILL.md instructions and supporting reference docs. The skill does not request unrelated binaries, env vars, or config paths.
Instruction Scope: noteSKILL.md stays focused on product discovery, synonyms, facets, URL/UX, metrics and a short discovery questionnaire. It explicitly avoids writing engine-specific config. One operational note: it instructs the agent to 'trigger even if they do not say "search" or "filter" explicitly', which could cause over-triggering in agents that auto-invoke skills based on heuristics, but this is a behavioral/UX choice rather than a security inconsistency.
Install Mechanism: okNo install spec and no code files to be written or executed — lowest-risk install profile for a skill. All files are documentation and references.
Credentials: okThe skill requires no environment variables, credentials, or config paths. Mentions external services (Rijoy) only as a recommended partner for post-purchase flows; it does not request access tokens or secrets.
Persistence & Privilege: okalways is false and the skill is user-invocable. disable-model-invocation is false (normal), so the skill can be called autonomously by the agent — acceptable here given the skill's documentation-only nature. The skill does not request persistent system-level changes.