Back to skill
Skillv1.0.0
ClawScan security
用户反馈虾 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 1:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only user-feedback analysis helper whose requested inputs and behavior match its description and it does not request extra credentials, installs, or unexpected access.
- Guidance
- This skill is coherent and appears safe from the static metadata provided. Before using it, do not upload sensitive or personally identifiable data unless you trust the execution environment — redact or anonymize customer identifiers first. Test with a small non-sensitive sample to validate outputs and check the agent’s concrete handling of Excel/CSV parsing. If you later integrate the skill with other skills or automation that sends reports to external systems, review those connections to ensure no unintended data sharing.
Review Dimensions
- Purpose & Capability
- okName/description (analyzing user comments, sentiment, themes, and producing reports) aligns with the instructions and provided reference documents; no unrelated credentials, binaries, or platform access are requested.
- Instruction Scope
- okSKILL.md stays within the feedback-analysis scope: data cleaning, sentiment/issue classification, clustering, priority scoring, and report output. It does not instruct reading unrelated system files or exfiltrating data to external endpoints. It clearly documents required input fields and limitations (no images/videos).
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk installation footprint; nothing is downloaded or written to disk by the skill itself.
- Credentials
- okNo environment variables, credentials, or config paths are required. The skill's needs (text/CSV/Excel input) are proportional to its purpose. Nothing asks for unrelated secrets or system auth.
- Persistence & Privilege
- okalways is false and the skill does not request permanent agent-level presence or privileged modifications. Autonomous invocation is allowed by platform default but not combined with any broad privileges here.