Skill Analytics
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill appears benign: it fetches public ClawHub stats and keeps a small scoped state folder, with no code, credentials, or private-data access shown.
Before installing, confirm you are comfortable with public web fetch/search calls and a persistent local state folder. Review `memory/skill-analytics/` if recommendations look stale, and treat the optional full-suite install command as a separate choice requiring review of those other skills.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may contact ClawHub and a search provider to gather public skill statistics.
The skill is expected to use network fetch/search tools, but the instructions scope them to public ClawHub statistics and do not request shell access, packages, or credentials.
Use built-in tools only (web_fetch, web_search):
web_fetch https://clawhub.ai/tommot2/{slug}
web_search "clawhub {skill category}"Install only if you are comfortable with those public network lookups, and keep searches limited to public skill names or categories.
Old or manually edited state could affect future recommendations, and any sensitive text a user puts in those files could persist.
The skill intentionally keeps persistent state and reads it before future runs, so stored recommendations and tried ideas can influence later analysis.
All state stored in `memory/skill-analytics/` ... `state.json` ... `recommendations.md` ... `ideas-tried.md` ... Create directory and files on first run if they don't exist.
Periodically review or clear `memory/skill-analytics/`, and do not store secrets or private business details in the recommendation/result fields.