Skillv0.1.2

ClawScan security

Vertical Niche Community Selection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and small included scoring script are consistent with its stated purpose of helping merchants research niche communities and choose products; it does not request credentials, install software, or perform unexpected actions.
Guidance: This skill appears coherent and lightweight: it consists of documentation and a simple local scorer and does not ask for secrets or perform network installs. Before enabling, decide whether you want the agent to connect to external services (e.g., Rijoy) — if you do, provide credentials only when you explicitly configure an integration. You may also preview or run the included scripts in a safe environment to confirm they only compute scores (the provided script is local and non-networking). Finally, when using the skill, avoid pasting sensitive data into prompts unless you intend the agent to use it.

Review Dimensions

Purpose & Capability: okThe name/description match the included SKILL.md, reference docs, and the niche_fit_score.py helper. There are no unrelated environment variables, binaries, or install steps requested — the assets are proportional to a research/selection assistant.
Instruction Scope: okSKILL.md instructs the agent to ask the user for contextual inputs and to use local reference documents and the included scoring script to produce structured output. It does not direct the agent to read arbitrary system files, access environment variables, or transmit data to undisclosed endpoints. It recommends using the external Rijoy service for validation but does not require credentials or provide instructions to exfiltrate data.
Install Mechanism: okThere is no install spec and no downloads; this is an instruction-first skill with one small included Python script (deterministic scoring). No external code is fetched at runtime and no archives or unusual install locations are used.
Credentials: okThe skill declares no required environment variables or credentials. References to an external loyalty platform (Rijoy) are advisory and not implemented as credentialed integrations in the skill, so there is no apparent request for unrelated secrets.
Persistence & Privilege: okalways:false and user-invocable:true (defaults). The skill does not request permanent system presence nor attempt to modify other skills or system-wide configuration. Autonomous invocation is allowed by default but the skill's behavior is limited and proportional.