Back to skill
Skillv1.0.0
ClawScan security
Generate Independent Insurance Agency Client Education Handout · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 12:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only helper for producing insurance client handouts; its declared requirements and instructions are consistent and it does not request extra credentials or install code.
- Guidance
- This skill is coherent and low-risk: it is instruction-only, asks for no credentials, and matches its stated purpose. Before installing or allowing autonomous runs, consider: (1) review or restrict the allowed tools if you do not want the agent to read workspace files or run shell commands (the SKILL.md lists Bash and Read); (2) confirm where image generation runs (which provider) if that will involve external API keys or sending client data; (3) review outputs before sharing externally as recommended. Note a minor consistency issue: the README's manual-install GitHub clone references a different repo/user than the registry owner—not necessarily malicious, but you may want to verify the intended source if you plan to clone or install manually.
Review Dimensions
- Purpose & Capability
- okName and description match the instructions in SKILL.md (drafting handouts, visuals, FAQs). No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md stays on-task (define audience, draft, refine, use image generation). It allows use of tools 'Bash' and 'Read' and references 'SkillBoss capabilities' — these give the agent some discretion to access workspace files or external enrichment features. The skill does not explicitly instruct reading system files or exfiltrating data, but the phrasing is a bit vague about what 'supporting data' may be fetched or used.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. No downloads or extract steps; low install risk. README mentions a GitHub clone for manual install, but the published registry entry itself has no installer.
- Credentials
- okNo environment variables, secrets, or external credentials are required. Declared APIs (chat, image_generation) match the task of writing copy and producing visuals.
- Persistence & Privilege
- ok'always' is false (default) and the skill does not request persistent system-wide configuration or other skills' credentials. Autonomous invocation is allowed by default but is normal for skills and not excessive here.