Back to skill
Skillv1.0.0
ClawScan security
Data Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 11:21 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are internally consistent with a generic data-analysis helper; it is high-level and instruction-only, so it doesn't request unexpected access, but it is underspecified about how it would access Google Sheets or SQL sources.
- Guidance
- This skill appears to be a generic, instruction-only data-analysis helper and is internally coherent. Before installing or using it: 1) Confirm how it will receive data — prefer pasting or uploading datasets rather than granting live access to Google Sheets or databases. 2) If you must connect it to Google Sheets or an SQL database, use least-privilege credentials (read-only, scoped, or temporary) and a test dataset with no PII or secrets. 3) Ask the skill author (or check the runtime/integration) how credentials are handled and whether any external endpoints are contacted. 4) Run it on non-sensitive data first to validate outputs and ensure it doesn't request unnecessary system files or secrets.
Review Dimensions
- Purpose & Capability
- okName and description match the SKILL.md capabilities (parsing CSV/JSON/Excel, visualizations, summaries). Nothing requested (no binaries, env vars, or installs) conflicts with the stated purpose.
- Instruction Scope
- noteRuntime instructions are high-level and stay within data analysis. However the SKILL.md lists Google Sheets and SQL queries as supported formats without describing how connections/credentials are handled; the guidance is broad and gives the agent discretion to ask for or request external data access.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This is lowest-risk from an install standpoint (nothing is written to disk or fetched at install time).
- Credentials
- noteThe skill declares no required environment variables or credentials, which is proportionate. That said, supporting Google Sheets and SQL implies the potential need for credentials if the agent is asked to connect to those sources; those credentials are not declared here (the skill is underspecified).
- Persistence & Privilege
- okalways:false and user-invocable; the skill does not request persistent system presence or elevated privileges and contains no install-time hooks.