Back to skill
Skillv1.0.0
ClawScan security
HiFi Advisor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 10:48 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's files, instructions, and requirements are coherent with a hi‑fi advising tool; it does not ask for unrelated credentials, install arbitrary code, or reach out to external endpoints.
- Guidance
- This skill appears coherent and low-risk: the included Python script performs only local CSV parsing and summary printing and the markdown workflows/checklists are on-topic. Before running the script, only run it on CSVs you trust (it reads local files but doesn't transmit data). If you plan to let an agent run skills autonomously, remember it could execute the provided script—ensure your runtime environment restricts untrusted code execution. If you want extra assurance, open and review scripts/price_stats.py yourself (it's short and readable) before use.
Review Dimensions
- Purpose & Capability
- okName/description match the provided assets: workflow templates, checklists, and a small price-stats script for used-market analysis. Nothing requested (no env vars, no binaries, no config paths) is unrelated to giving audio advice and pricing analysis.
- Instruction Scope
- okSKILL.md stays on topic: it lists question flows, checklists, and instructs running the included script only when the user supplies a CSV. It does not instruct the agent to read arbitrary system files, contact unknown endpoints, or exfiltrate data.
- Install Mechanism
- okNo install spec included (instruction-only plus one benign script). The Python script is small, local, and non-obfuscated; there are no downloads or archive extraction steps.
- Credentials
- okThe skill requires no environment variables or credentials. The only runtime action is optionally running a local Python script against user-provided CSV data, which is proportional to the stated price-analysis purpose.
- Persistence & Privilege
- okalways is false and the skill doesn't request system-wide modification or persistent privileges. Autonomous invocation is allowed by default but combined with the limited scope there is no elevated privilege request.