Skillv1.0.52

ClawScan security

Ab Test Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 3:49 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description and runtime instructions broadly match an A/B analysis tool, but there are metadata and implementation gaps (CLI usage shown without any code/install or required binaries, and a version mismatch) that make its actual behavior ambiguous.
Guidance: This skill looks like a straightforward A/B-test analyzer, but there are gaps you should clarify before installing or sending sensitive data: 1) Ask the publisher where the analysis runs (local agent, cloud service, third-party API) and how data is transmitted/stored. 2) Request source code or an install artifact if you expect a CLI — the SKILL.md shows commands but no code or install spec is included. 3) Confirm the version discrepancy (registry 1.0.52 vs skill.json 1.0.0) and verify the author/owner. 4) Avoid uploading PII or sensitive datasets until you know the processing/storage model and have a privacy/security statement. If the publisher can't answer these, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: concernName/description and SKILL.md describe A/B analysis and report generation, which is coherent. However the docs show CLI commands (openclaw run ab-test-analyzer ...) that imply an executable implementation, yet the package has no install spec, no code files, and no required binaries. skill.json version (1.0.0) differs from registry version (1.0.52); source/homepage are missing. These inconsistencies mean it's unclear how or where the analysis actually runs.
Instruction Scope: noteSKILL.md only instructs importing CSV, running analysis, and generating reports — all within the stated scope. It does not instruct reading unrelated system files or requiring credentials. However it does not state where processing occurs (locally, in-agent, or remote service) nor how uploaded data is handled, stored, or shared, which is important for data sensitivity.
Install Mechanism: okNo install spec and no code files are present, so nothing is written to disk by an installer. This is lower-risk, but also contributes to the ambiguity about how the CLI commands in the documentation would be supported.
Credentials: okNo environment variables, credentials, or config paths are requested — proportional for the described purpose. There is no sign of unrelated credential access.
Persistence & Privilege: okSkill is not always-enabled and uses default invocation behavior. It does not request elevated or persistent privileges, nor does it declare modifying other skills or system settings.