Back to skill
Skillv1.0.0
ClawScan security
MBB Strategist · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 9:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only consultant framework toolkit that only uses the included reference prompts and requests no credentials, installs, or external resources — its declared scope matches its behavior.
- Guidance
- This skill is internally consistent and does not request credentials or install software. Before installing: (1) remember outputs are generated text and should be validated — especially financial or legal recommendations; (2) be aware the skill instructs the agent to 'adopt' firm personas (e.g., 'Senior Partner at McKinsey'), which can mislead recipients about affiliation — avoid presenting outputs as official statements from those firms; (3) avoid feeding sensitive or proprietary data into the skill unless you trust generated outputs will be handled appropriately; (4) if you need networked integrations (live market data, CRM lookups), expect to use a separate skill that legitimately requests the necessary credentials.
Review Dimensions
- Purpose & Capability
- okName/description promise high-level consulting outputs (MBB-style frameworks). The shipped references/frameworks.md contains structured prompts and modules that directly support those claims. There are no unrelated dependencies, credentials, or binaries requested.
- Instruction Scope
- okSKILL.md directs the agent to use the local references/frameworks.md modules and adopt specific personas and formats. It does not instruct reading system files, accessing environment variables, contacting external endpoints, or performing actions outside generating responses. Note: persona adoption (e.g., 'Senior Partner at McKinsey') can cause the agent to present itself as an employee/partner of those firms — this is a content/ethics concern, not a technical incoherence.
- Install Mechanism
- okNo install spec and no code files; instruction-only skills write nothing to disk and introduce minimal risk from installation mechanics.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The SKILL.md and references do not reference any external secrets or resources, so requested access is proportional (none).
- Persistence & Privilege
- okalways is false and there is no special persistence requested. disable-model-invocation is false (the default allowing autonomous invocation), which is normal for user-invocable skills and is not combined with other concerning permissions here.