Back to skill
Skillv1.0.52
ClawScan security
Ai Brand Naming · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 3:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only, marketing-style skill for brand naming with no code, no install steps, and no requested credentials — nothing in the bundle contradicts the stated purpose.
- Guidance
- This skill appears low-risk because it contains no code and asks for no secrets, but it is underspecified: SKILL.md is just marketing copy with no runtime instructions or source/homepage. Before installing, consider asking the publisher for: (1) the implementation details or code, (2) exactly how the agent should generate and where it will send data (any external APIs), and (3) sample outputs. If you install it, run it in a restricted/sandboxed environment first and avoid submitting sensitive or proprietary inputs until you confirm how data is handled. Also be skeptical of the ROI claims and pricing — they look promotional rather than technical guarantees.
Review Dimensions
- Purpose & Capability
- okName, description, and the provided SKILL.md all describe an AI brand-naming product; the package does not request unrelated binaries, credentials, or config paths.
- Instruction Scope
- noteSKILL.md contains only marketing, pricing, and ROI claims and provides no actionable runtime instructions. Because it is vague, an agent using this skill may need to invent how to operate (which can broaden what the agent does), so the lack of defined behavior is a usability/privacy concern rather than an outright security mismatch.
- Install Mechanism
- okNo install spec and no code files — lowest-risk configuration (nothing is written to disk or downloaded by the skill itself).
- Credentials
- okThe skill requests no environment variables, credentials, or config paths; there is no disproportionate access requested.
- Persistence & Privilege
- okDefaults are unchanged (not always:true). The skill is user-invocable and may be called autonomously by the agent (platform default), which is expected and not by itself problematic.