Back to skill
Skillv2.0.0
ClawScan security
Ai Automation Consulting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 30, 2026, 9:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only marketing/consulting skill (no code, no install, no credentials requested) and appears to do what it says — an informational/contact listing for AI automation services.
- Guidance
- This skill is essentially an informational/marketing listing and does not request access to your system or secrets. Things to consider before installing or using: verify the author/repository if you plan to trust or pay them (skill.json lists a GitHub repo), be cautious clicking external links or following payment offers (Gumroad link) or contacting via Telegram/WeChat (these are direct contact channels and not part of the skill runtime), and never provide credentials or sensitive data to an external contact unless you have independently verified their identity. The small version mismatch between SKILL.md and skill.json is benign but indicates sloppy metadata — if you need stronger assurance, ask the publisher for a verified repository or more details about what the consulting engagement entails.
Review Dimensions
- Purpose & Capability
- okThe name and description match the SKILL.md content (AI automation consulting, services and pricing). Nothing in the package requests unrelated access (no env vars, no binaries, no config paths).
- Instruction Scope
- okSKILL.md is descriptive/marketing text and does not instruct the agent to run commands, read files, or exfiltrate data. It only lists services, contact channels, and external links.
- Install Mechanism
- okNo install spec and no code files — nothing is downloaded or written to disk. This is the lowest-risk model for a skill.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate credential request.
- Persistence & Privilege
- okFlags are default (not always:true). The skill is user-invocable and may be called by the agent when eligible, which is normal for skills. It does not request persistent or cross-skill configuration.