Skillv1.0.1

ClawScan security

Skylv Market Pain Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 20, 2026, 1:27 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and declared requirements are consistent with its stated purpose (automated market pain discovery); it requests no credentials and has no surprising installs or network endpoints, aside from standard web searches and a local script that writes report files.
Guidance: This skill appears coherent and doesn't ask for credentials, but note: (1) it will perform web searches/fetches—confirm you are comfortable with the agent making external queries and collecting public data (and ensure you comply with target sites' terms and privacy rules); (2) SKILL.md asks you to pip install pandas before running the included script; (3) the script writes files to a local ../data directory—inspect that directory and outputs before sharing them; and (4) metadata version fields mismatch (_meta.json shows 3.0.0 while registry metadata lists 1.0.1) — a benign inconsistency but you may want to confirm you're using the intended release.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, and the included Python script all focus on collecting web data (via web_search/web_fetch), analyzing it, and writing a Markdown report—these requirements align with a market-research/pain-finding skill. Declared dependency on a 'market-researcher' skill and the listed tools (web_search, write_to_file) are appropriate.
Instruction Scope: okRuntime instructions restrict activity to web_search/web_fetch, running the local script, and writing output files. The skill explicitly prohibits fabricating data and requires saving outputs. There is expected external data collection (search/fetch) but no instructions to read unrelated system files or environment variables.
Install Mechanism: noteNo install spec is declared (instruction-only), which is low risk. SKILL.md suggests running 'pip install pandas' to satisfy the script, which is reasonable but is an external package installation step the user/agent must perform. No downloads from unknown URLs or archive extraction are present.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. File I/O is limited to a local data directory under the skill (../data) and explicit output paths. This is proportionate to the stated functionality.
Persistence & Privilege: okalways:false and no modifications to other skills or global agent settings. The skill creates and reads files only under its own data directory—no elevated persistence or cross-skill config changes are requested.