Back to skill
Skillv1.0.0
ClawScan security
Agent News Briefing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewApr 17, 2026, 3:02 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's purpose (personalized news briefs for insurance agents) is plausible, but the runtime instructions tell the agent to read local customer files via shell commands even though no config paths or permissions are declared — this mismatch raises privacy and scope concerns.
- Guidance
- This skill looks like it will do what it promises (generate news briefs), but the runtime instructions tell the agent to read customer profile files from a local folder using shell commands even though the skill metadata declares no file-access path or permissions. Before installing or enabling this skill: - Verify where '客户档案/' would be located and whether that folder contains sensitive personal data. - Prefer changing the skill to call a controlled Customer Profile Management API (with an explicit required config path/credential) instead of running 'ls'/'cat' on arbitrary files. - If you must allow filesystem access, require the skill to declare the exact config path and limit the fields it reads (e.g., only '关注领域' and '风险偏好'), and log/alert such accesses. - Consider using manual invocation (or restricting autonomous runs) while testing, and audit any outputs before they are sent externally. - Ensure compliance with data-protection policies (consent, retention, masking) before allowing the skill to read or transmit customer data. If the missing config-path declaration was an oversight and the author can update the skill to explicitly request only the minimal, auditable access needed, the coherence and privacy concerns would be largely addressed.
Review Dimensions
- Purpose & Capability
- noteThe stated goal (produce personalized insurance news briefings) aligns with the actions described (search web, summarize, craft messaging). However, the skill's instructions assume access to a local '客户档案/' directory and the 'customer-profile-management' integration for personalization, yet the skill metadata declares no required config paths or credentials for accessing customer data. That omission is an inconsistency.
- Instruction Scope
- concernSKILL.md explicitly tells the agent to run shell commands (ls, cat) against local paths (客户档案/<客户姓名>.md) to extract sensitive customer profile fields. This is beyond what the declared requirements indicate and could expose personal data to the model or external services during execution. The instructions also use a generic 'web_search' tool (expected) and produce outbound content, which is coherent, but the file-read steps are scope-creep and privacy-sensitive.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes disk-write risk. There is nothing being fetched or installed by the skill itself.
- Credentials
- concernNo environment variables or credentials are requested, which is appropriate for a news-briefing skill. However, the skill expects to access local customer data files without declaring required config paths or permissions. That mismatch (undeclared file access) is a proportionality and transparency problem: personal data access should be explicit and limited to the fields needed for personalization.
- Persistence & Privilege
- okThe skill is not set to always:true and does not request special platform-wide privileges. Autonomous invocation is allowed (default), which increases blast radius if the skill is given access to private files — consider requiring manual invocation when personal data is involved.