Generate Plumbing Service Company Client Education Handout
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill does not show malware, but it asks for broader computer access than a simple handout generator needs and its installation docs point to a different source.
Before installing, verify that the package slug and source are the ones you intend to use, and consider removing or restricting Bash/Read access since a plumbing handout generator should not normally need shell or broad local file access.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses this skill, it may have access to run local commands or read files even though that is not needed to create a plumbing handout.
This grants shell and local file-read tools to a content-generation skill whose workflow only describes clarifying requirements, drafting a handout, and refining the output; the artifacts do not scope commands or files or require explicit approval.
allowed-tools: Bash, Read
Remove Bash and Read unless they are truly required, or clearly restrict them to user-selected files and require explicit user approval before any command execution.
A user following the README could install a different skill or unreviewed external repository instead of the artifact being evaluated.
The evaluated registry metadata identifies the skill slug as 'toby-generate-plumbing-service-company-client-education-handout', but the README points users to a different 'qiaomu' package and repository.
clawhub install qiaomu-generate-plumbing-service-company-client-education-handout ... git clone https://github.com/qiaomucom/generate-plumbing-service-company-client-education-handout.git
Correct the README to match the reviewed ClawHub slug, avoid ambiguous external install targets, and pin or verify any external source before installation.