Skillv1.0.0

ClawScan security

intelligence-analyst-claw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 7, 2026, 12:55 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent with an intelligence/industry-research assistant and do not request unrelated credentials or install arbitrary code.
Guidance: This skill appears coherent and its code is small and aligned with research tasks. Before installing: (1) note that some SKILL.md steps ask the agent to use a browser to access gated databases — that may use your browser sessions or prompt you for credentials, so avoid supplying sensitive internal credentials unless you trust the run context; (2) SKILL.md mentions sentiment_analysis.py and monitor_policy_updates.sh but those files are not present in the package—ask the author or remove those references if you expect those capabilities; (3) because the agent will fetch web pages, review network access policies and run the skill in an environment you control if you have concerns about scraping internal or sensitive endpoints; (4) if you want guarantees about data handling, request that the maintainer add explicit logging/privacy behavior and a manifest for all referenced scripts.

Review Dimensions

Purpose & Capability: okName/description describe multi-source research and the provided scripts (report search plan, competitor template, financial extraction) match that purpose. The listed data sources and frameworks align with industry research tasks.
Instruction Scope: noteRuntime instructions limit actions to web_search/web_fetch/browser-based scraping and structured analysis; they explicitly mention obeying robots.txt and not fetching unauthorized internal materials. Note: SKILL.md instructs using an interactive browser for gated databases which may involve user credentials or sessions even though the skill doesn't request credentials explicitly.
Install Mechanism: okNo install spec (instruction-only plus small python scripts). Nothing is downloaded or written to disk by an installer; included scripts are benign and local.
Credentials: noteThe skill requires no environment variables or credentials, which is proportionate to its stated purpose. Caveat: the instructions expect the agent to use an interactive browser for some sources — that can leverage existing user sessions/credentials implicitly. Also SKILL.md references additional helper scripts (sentiment_analysis.py, monitor_policy_updates.sh) that are mentioned but not present in the file manifest.
Persistence & Privilege: okalways is false and the skill does not request persistent system-wide privileges or modify other skills. Agent autonomous invocation is allowed by default (not a red flag here).