Back to skill
Skillv98.0.1
ClawScan security
Compliance Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 5:22 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions, inputs, and scope are consistent with a compliance checklist/calendar helper and it requests no elevated environment access or installs — but the package has no provenance (no homepage/source) so verify before using with real client data.
- Guidance
- This skill appears coherent for generating compliance checklists and calendars and does not request credentials or install code, but the package has no homepage or clear provenance—before installing, (1) verify the author (PrecisionLedger) and source, (2) test the skill only with dummy/non-sensitive data, (3) do not allow it to automatically send reminders or request/upload client PII without explicit firm policies and secure channels, and (4) always cross-check deadlines and regulatory changes against primary sources (IRS, FASB, state sites) before relying on them for client work.
Review Dimensions
- Purpose & Capability
- okName, description, and SKILL.md content align: the skill provides deadline tracking, regulatory monitoring, audit checklists, and compliance calendar instructions. It does not request unrelated binaries, cloud credentials, or config paths.
- Instruction Scope
- noteSKILL.md is instruction-only and stays within its stated purpose (web_search queries, public sources like IRS/FASB, and checklist/calendar generation). It does instruct the user/agent to 'request PBC documents' and to build client calendars, which may lead an agent to request or collect sensitive client data — the skill does not define how that sensitive data should be handled, transmitted, or stored.
- Install Mechanism
- okNo install spec, no code files — lowest risk from installation. The skill relies on built-in web_search and content generation only.
- Credentials
- okNo required environment variables, credentials, or config paths are declared. The skill does not ask for unrelated secrets or platform access.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. Autonomous invocation is allowed (platform default) but there are no directives in SKILL.md that would require persistent/system-wide privileges.