Skillv1.0.1

ClawScan security

Listed Company Compliance · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 6:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only Chinese listed-company compliance assistant whose declared purpose matches the files and instructions it contains; it asks for no credentials and installs nothing.
Guidance: This skill appears coherent and benign: it bundles regulatory guidance, checklists and templates for Chinese listed-company compliance and requests no credentials or installs. Before installing/use: (1) do not paste real personal identifiers (身份证号, bank/account numbers, etc.) or confidential documents into public prompts or third-party services; (2) treat outputs as informational only — consult a qualified lawyer or advisor for binding legal advice; (3) verify the author/source and review update.md/CHANGELOG to ensure materials are current with the latest regulations; (4) if you plan to automate generation or send documents externally, confirm you are not leaking sensitive data to other systems or networks.
Findings: [no-findings] expected: The regex-based scanner found nothing to analyze — expected for an instruction-only skill that contains plaintext rules and templates. Absence of findings is not a substitute for manual review of content (e.g., PII fields in templates).

Purpose & Capability: okThe skill name/description (Chinese listed-company compliance assistant) matches the included rules, checklists and document templates. There are no unrelated required binaries, env vars, or config paths.
Instruction Scope: noteSKILL.md tells the agent to consult the packaged rules/templates and to generate compliance documents. That stays within scope. Note: many templates include fields for personal identifiers (e.g., 身份证号) and other PII — the skill does not itself exfiltrate anything, but users and agents could be prompted to enter sensitive personal/company data when using templates, so exercise caution with what you paste into the agent or external systems.
Install Mechanism: okNo install spec and no code to run — instruction-only. This minimizes supply-chain risk (nothing is downloaded or written to disk by an installer).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate request for secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide privileges or modify other skills' configs. Autonomous invocation is allowed (platform default) but the skill has no elevated privileges.