Skillv98.0.1

ClawScan security

Client Onboarding Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 17, 2026, 5:22 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only onboarding framework whose requested artifacts and questions match its stated purpose; it requires no installs or credentials, so its footprint is coherent with its description.
Guidance: This skill appears internally consistent and useful as an interview/framework template. Before using it: 1) Verify origin and licensing (SKILL.md claims MIT but source/homepage are unknown). 2) Treat any client data you collect as potentially sensitive — obtain explicit consent before viewing screens or system access, avoid requesting passwords or long-lived credentials, and redact or store PII securely. 3) If you plan to operationalize the outputs (connect to APIs, ingest data), ensure the chosen integrations and credentials are scoped and logged, and confirm regulatory requirements (HIPAA, SOC2, etc.) identified in the framework. 4) Because this is instruction-only, the main risk is human operational: train staff to follow least-privilege and data-handling practices when executing the workflow.

Review Dimensions

Purpose & Capability: okThe name and description promise a client onboarding / diagnostic framework; the SKILL.md is a detailed, structured interview and artifact template (4 diagnostic rounds, constraint categories, SOP). There are no unrelated environment variables, binaries, or install steps requested.
Instruction Scope: noteThe instructions are focused on discovery questions, templates, diagrams, and SOPs. They do explicitly instruct the agent/operator to request access to client tools/screens and to gather workflow and data-flow information, which is expected for onboarding but involves collecting potentially sensitive operational data. The skill does not instruct the agent to access system files, environment variables, or external endpoints autonomously.
Install Mechanism: okInstruction-only skill with no install spec and no code files — minimal risk from installation because nothing is written or executed by the platform.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Requests for potentially sensitive client data (workflows, screenshots, system/tool access) are operationally relevant to onboarding but are not implemented as required platform credentials.
Persistence & Privilege: okFlags show default behavior (always: false, model invocation allowed). The skill does not request permanent presence or special platform privileges and does not instruct modification of other skills or agent system settings.