Back to skill
Skillv1.0.0
ClawScan security
Client Discovery · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 8:23 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that provides a client-discovery / sales discovery question framework; its requirements and instructions are coherent with that purpose and it doesn't request credentials, installs, or broad system access.
- Guidance
- This skill is an instruction-only script for running discovery conversations and appears internally consistent. Before installing: (1) confirm where 'workspace/artifacts/' is stored and how long artifacts are retained (so you don't inadvertently keep sensitive prospect information), (2) review and redact any personally identifiable or sensitive data before saving or sharing outputs, and (3) note that the package has no author/homepage metadata — if provenance matters to you, ask the publisher for more info. Otherwise it matches its stated purpose and has no obvious disproportionate access requests.
Review Dimensions
- Purpose & Capability
- okName and SKILL.md describe a discovery/qualification framework. The skill requires no binaries, env vars, or installs — that's proportionate for a guidance/template skill.
- Instruction Scope
- okSKILL.md is a prescriptive script and question set for discovery calls. It does not instruct the agent to read arbitrary system files, access credentials, or send data to unexpected external endpoints. It does say "All outputs go to workspace/artifacts/", which is a reasonable local output path for generated artifacts.
- Install Mechanism
- okNo install spec and no code files — lowest-risk form (instruction-only).
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. All recommended questions and checks are consistent with discovery/qualification and do not require secrets.
- Persistence & Privilege
- okalways is false and the skill is user-invocable (normal). It does not request persistent privileges or modify other skills/configs.