Skillv1.0.0

ClawScan security

Pharma Csv Pro · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 7, 2026, 11:57 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are coherent with its stated purpose (local CSV-based pharmaceutical QC/stability analysis); it does not request credentials, install software, or perform network activity by default.
Guidance: This package appears to be a local CSV analysis tool and is internally consistent. Before using for regulated work, (1) validate outputs on known datasets and confirm the statistical methods meet your SOPs/regulatory expectations, (2) treat input CSVs as sensitive — they may contain regulated or personal data — and run the tool in an environment with appropriate access controls, (3) if you follow the LIMS integration examples, supply only trusted endpoints and tokens and review any integration code you add, and (4) review the script yourself or with your security/compliance team before using it in production or submitting reports to regulators.

Review Dimensions

Purpose & Capability: okName/description (pharmaceutical CSV analysis, OOS/OOT, regulatory reports) matches the included SKILL.md, example CSVs, and the Python script which implements validation, statistics, trend analysis and report generation. The examples and code only operate on user-provided CSV files.
Instruction Scope: noteSKILL.md instructs running the included script against local CSV files and documents optional LIMS integration examples. The runtime instructions and the script operate on file input only and do not instruct reading unrelated system files or environment variables. Note: the docs include an example showing how a user could post results to a LIMS API (requests.post) — that example is user-driven and not executed by the skill itself.
Install Mechanism: okNo install spec is present; this is an instruction-only skill with a bundled Python script. No downloads, package installs, or archive extraction occur as part of the skill.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The code does not read environment secrets or network endpoints by default. The LIMS integration shown in references is a manual example that would require the user to supply their own API token and endpoint.
Persistence & Privilege: okSkill does not request permanent presence (always: false). It contains no self-install or configuration changes to the agent or other skills. Autonomous invocation is allowed by platform default but this skill has no network/backchannel capability that would increase risk.