Skillv1.0.0

ClawScan security

Sopaper Evidence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 14, 2026, 1:49 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are consistent with an evidence-first research workflow; nothing requested or installed appears disproportionate to its stated purpose.
Guidance: This package appears coherent with its stated goal of building evidence-led research packs. Before installing or running it, (1) review the bundled scripts that fetch external URLs to confirm you are comfortable with network access and which domains will be contacted; (2) run the scripts in a controlled environment (e.g., sandbox or project-specific workspace) so they only read project files you expect to share; (3) confirm the upstream GitHub repo (https://github.com/sheepxux/SoPaper-Evidence) if you want the original source and to inspect recent commits; and (4) note a minor oddity in an example source list (a TradingView Webhooks URL) — likely accidental example noise but worth a quick grep for unexpected external endpoints before trusting automated fetches.

Purpose & Capability: okName/description (evidence-first research, claim→evidence mapping) matches the provided templates, playbooks, and helper scripts. Required env vars, binaries, and config paths are none, which is coherent for an instruction-and-script package that operates on local files and public web sources.
Instruction Scope: noteSKILL.md instructs the agent to search, fetch, verify, and ingest external sources and local project artifacts — this is appropriate for the stated purpose. Be aware the bundled scripts explicitly parse local markdown/csv files and (by name) fetch external sources; network access and reading repository-local files are expected behaviors and should be allowed only if you consent to those actions.
Install Mechanism: okNo install spec is included (instruction-only with bundled helper scripts). Nothing downloads or executes remote installers as part of the skill bundle, reducing supply-chain risk.
Credentials: okThe skill requires no environment variables, credentials, or unusual config paths. The absence of secrets is proportional to an evidence-collection and local-file-processing workflow.
Persistence & Privilege: okalways:false (default) and no capabilities to modify other skills or global agent config were found. The skill does not request elevated or permanent presence beyond normal autonomous invocation.