Skillv1.0.0

ClawScan security

Copilot Studio Agent Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 9:05 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only guide for creating Microsoft Copilot Studio agents via the web UI; its requirements and instructions are consistent with that stated purpose and it does not request extra credentials or install code.
Guidance: This file is a benign, offline how-to for using the Copilot Studio web UI and does not perform any code execution or request secrets. Before following steps that connect enterprise data or add event triggers: 1) verify the author/source (skill metadata is unknown), 2) test agent behaviors in a development environment, 3) restrict connectors and scopes to the minimum necessary, 4) avoid uploading sensitive data into public website knowledge sources, 5) monitor billing and audit logs for agents with generative orchestration or event triggers. If you need automation rather than a manual guide, look for an official API/integration from Microsoft rather than trusting third-party instructions without provenance.

Review Dimensions

Purpose & Capability: okName and description match the SKILL.md content: the document is a step-by-step web-app guide to authoring Copilot Studio agents. There are no unrelated required binaries, env vars, or install steps.
Instruction Scope: noteAll instructions describe actions inside Microsoft Copilot Studio (creating agents, topics, knowledge sources, triggers, publishing). The guide explains event triggers and describes possible payloads and autonomous behavior — this is relevant to Copilot Studio but users should be aware these features let created agents act autonomously and access enterprise data if configured. The skill does not instruct reading local files, environment variables, or sending data to non-Microsoft endpoints.
Install Mechanism: okNo install spec and no code files are present; nothing is written to disk or fetched at install time.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The SKILL.md describes Microsoft Entra/SSO and connecting enterprise data (SharePoint, Dataverse) as part of using the platform — those are platform-level operations, not requirements of this skill file.
Persistence & Privilege: noteThe skill itself does not request persistent presence or elevated platform privileges (always:false). However, the guide covers enabling generative orchestration and event triggers for agents you create — those agent-level capabilities can cause autonomous actions and have billing/data implications. This is a property of agents you build following the guide, not of the skill file itself.