Skillv1.0.0

ClawScan security

Proposal Writing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 12, 2026, 8:24 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only proposal-writing template that is internally consistent with its purpose and introduces no unusual installs, credentials, or privileged behavior.
Guidance: This skill is primarily a template and writing workflow for proposals and appears low-risk. Before installing: 1) note that generated proposals will be written to workspace/artifacts/ (check who/what can read that directory to avoid accidental disclosure of client data); 2) the skill expects discovery inputs (it suggests using a client-discovery skill) — ensure any discovery data you provide does not contain sensitive secrets you don't want stored; 3) review generated proposals before sending (language, pricing, or client-sensitive details may need editing); and 4) the registry entry lacks a short description and homepage (metadata is sparse) — if you need provenance or support, ask the publisher for more info. Overall, nothing in the skill requests unrelated credentials, installs, or privileged behavior.

Purpose & Capability: noteThe SKILL.md content matches the skill name (Proposal Writing) and provides a clear framework and templates. The registry description field is empty (minor metadata omission) but the runtime instructions themselves are coherent and do not request unrelated capabilities.
Instruction Scope: noteInstructions are scoped to drafting proposals: use client words from discovery, follow the SCR framework, and write outputs to workspace/artifacts/. The skill references using a separate client-discovery skill (expected). It does not instruct reading arbitrary system files, accessing environment secrets, or exfiltrating data to external endpoints, but it will write generated proposals to the agent workspace directory—expect stored artifacts.
Install Mechanism: okNo install spec and no code files (instruction-only). This is the lowest-risk install profile—nothing is downloaded or written to disk by an installer.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is proportionate to its stated purpose of generating proposal text.
Persistence & Privilege: okalways:false and model invocation is allowed (normal). The skill writes outputs into workspace/artifacts/ but does not request persistent privileges, system-wide config changes, or access to other skills' credentials.