Skillv1.0.0

ClawScan security

Cookie Consent Banner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 14, 2026, 12:50 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill claims to implement an enterprise cookie-consent banner but the instructions only show a trivial CMessageBox example (no consent storage, cookie categories, or legal/compliance handling) and the provenance of the referenced orbcafe-ui package is not established.
Guidance: This skill is instruction-only and appears misleading: it promises an enterprise cookie-consent solution but only shows a simple message-box example. Before installing or using orbcafe-ui, verify the npm package and source repository (check README, repository link, maintainers, download counts, open issues, and license). Inspect the package contents and run `npm audit` or equivalent. Ensure any cookie-consent implementation includes storage of user preferences, category management, clear opt-in/opt-out flows, and legal compliance (GDPR/CCPA) — none of which are shown here. If you need production-grade consent handling, prefer a well-known library or review the orbcafe-ui repo and test how it persists and protects consent data.

Purpose & Capability: concernThe name/description promise an 'enterprise-grade Cookie Consent Banner' with best practices (i18n, accessibility, consent handling). The SKILL.md only shows installing an 'orbcafe-ui' package and a minimal CMessageBox usage example that does not implement cookie consent flows, preference storage, categories, or any privacy/legal considerations — this is a mismatch between claimed purpose and provided instructions.
Instruction Scope: noteInstructions are limited to an npm/pnpm install command and a small React example. They do not instruct the agent to read system files, credentials, or external endpoints. However the guidance is incomplete and vague for the stated purpose (no instructions for persisting consent, integrating with cookies/localStorage, or handling opt-in/opt-out).
Install Mechanism: noteThere is no formal install spec in the skill bundle (it's instruction-only). The SKILL.md recommends installing orbcafe-ui from npm, which is a normal package install pattern, but the skill metadata lacks a homepage/source and the package's authenticity and quality should be verified before use.
Credentials: okThe skill requests no environment variables, credentials, or config paths. There are no obvious excessive permissions or secret access requests.
Persistence & Privilege: okSkill is not always-enabled and has no special persistence or privilege requests. It does not modify other skills or system settings.