Back to skill
Skillv1.0.0
ClawScan security
Prompt Engineering · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 5:31 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only prompt-engineering documentation bundle whose requirements and instructions align with its stated purpose and do not request extra privileges or sensitive data.
- Guidance
- This appears to be a coherent, documentation-only prompt-engineering skill and is safe from a privilege/credential perspective. Before installing: (1) skim the README/SKILL.md to confirm it matches your expectations, (2) do not paste secrets, API keys, or private documents into prompts when testing, and (3) if you integrate it with your Agent SDK or Files API, supply credentials only to the SDK/environment — the skill itself does not need them. If you see later versions requesting env vars, downloads, or commands that read system files or contact unknown URLs, treat that as a red flag and re-evaluate.
Review Dimensions
- Purpose & Capability
- okThe name/description (prompt engineering expert) match the provided files (SKILL.md, README, BEST_PRACTICES, TECHNIQUES, EXAMPLES). There are no unrelated requirements (no cloud credentials, no platform binaries) that would be incoherent for this kind of skill.
- Instruction Scope
- okRuntime instructions are documentation and examples for crafting and evaluating prompts. They do not instruct the agent to read system files, exfiltrate data, call arbitrary external endpoints, or access credentials. Integration notes mention using Agent SDK/Files API for legitimate workflows but the skill does not include steps that would automatically transmit data.
- Install Mechanism
- okThere is no install spec and no code files to execute — this is instruction-only documentation, which is the lowest-risk install profile.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. Sample snippets reference the Anthropic client but don't require the skill to store or access secrets itself.
- Persistence & Privilege
- okThe skill does not request always:true and makes no claims about modifying other skills or system-wide settings. It is user-invocable and does not request elevated or persistent privileges.