Skillv1.1.0

ClawScan security

House Buying Advisor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 12:57 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested capabilities, instructions, and lack of installs/credentials are coherent with a house‑buying advisory assistant; it asks for data collection and web lookups that match its purpose but may prompt users to share sensitive personal documents during use.
Guidance: This skill appears internally consistent and contains useful, practical workflows for buying a used home. Before installing/using it, consider: (1) Privacy: the instructions encourage sharing sensitive items (bank app screenshots, ID, contracts). Never upload full account credentials or unredacted identity documents unless you trust how the platform stores/transmits them; redact or mask account numbers and ID numbers where possible. (2) Verification: the skill relies on web_search and third‑party listing sites — always cross‑check policy and title/registration facts at official government registries and consult a lawyer or mortgage officer for contract/loan decisions. (3) Data retention: confirm the platform’s conversation and file retention policy (will uploaded images be stored, used for model training, or accessible to third parties?). (4) Operational caution: follow the checklists but do not treat AI outputs as legal/financial advice; validate tax/contract wording and property title issues with qualified professionals. (5) Provenance: the skill has no homepage or known source; while it requires no installs or secrets (low technical risk), exercising normal caution about sharing sensitive personal documents is recommended.

Review Dimensions

Purpose & Capability: okName/description (second‑hand house buying advisor) match the instructions and reference materials. The SKILL.md explicitly instructs web searches, source comparison, policy checks, checklists and negotiation playbooks — all directly relevant to the stated purpose. No unrelated binaries, env vars, or installs are requested.
Instruction Scope: noteThe skill is instruction‑only and instructs the agent to perform web_search and to collect/organize marketplace and policy data — appropriate for the task. It also encourages real‑time collaboration with the user and suggests items users may present (e.g., bank APP balance screenshots, ID/contract documents). That is coherent for negotiation/closing workflows, but it creates a privacy risk because users might be prompted to share sensitive images or documents with the agent.
Install Mechanism: okNo install spec, no code files to execute, and no downloads. This instruction‑only format minimizes install surface and disk persistence risk.
Credentials: okThe skill does not request environment variables, credentials, or config paths. All required data is contextual user input and web search — proportional to the described functionality.
Persistence & Privilege: okalways:false and default invocation settings. The skill does not request permanent presence or modify other skills. Normal autonomous invocation is allowed by platform defaults.