Skillv1.0.0

ClawScan security

CSV Data Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 14, 2026, 6:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with its stated purpose (CSV analysis/visualization); it is an instruction-only skill that expects Python + pandas/matplotlib and does not request unrelated credentials or installs.
Guidance: This skill is internally consistent and appears to do what it says. Before installing or using it: 1) Ensure the execution environment has Python with pandas and matplotlib (the skill will not install them). 2) Be deliberate about what CSVs you upload—CSV files can contain sensitive data (credentials, PII); the skill will read the full file and may write cleaned CSVs and PNGs to the environment. 3) Confirm where output files are saved and whether that storage is private/trusted. 4) If you lack the necessary Python packages, either provision an isolated environment with them or decline until you can run it in a controlled environment. No scanner findings were present because this is instruction-only (no code files) — that is expected but also means runtime behavior depends on the agent environment and available libraries.

Purpose & Capability: okThe name/description (CSV analysis) matches the runtime instructions: loading CSVs, cleaning, statistics, grouping, correlations, and charts. The only external dependency mentioned (Python with pandas and matplotlib) is appropriate and expected for this purpose.
Instruction Scope: okSKILL.md confines actions to reading user-supplied CSV files, performing data cleaning/analysis, generating summaries, saving PNG charts, and exporting cleaned CSVs. It does not instruct the agent to read unrelated system files, environment variables, or to transmit results to external endpoints.
Install Mechanism: okThere is no install spec (instruction-only), which is the lowest-risk model. The skill expects required Python libraries to already exist; it does not download or run external installers.
Credentials: okNo environment variables, credentials, or config paths are requested. The only resource access implied is the user-provided CSV file(s) and the ability to write output files (PNGs, CSVs), which is proportionate to the stated function.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated privileges or modifications to other skills. Autonomous invocation is allowed by default but is not combined with broad credential access or other red flags.