Skillv1.0.1

ClawScan security

market analysis for vehicle · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 2:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only market-research assistant whose requested resources and actions are coherent with its stated purpose and it does not ask for unrelated credentials or install anything.
Guidance: This skill is an instruction-only market-research advisor and appears internally consistent. Before installing/using: (1) Understand it cannot fetch paywalled/proprietary data on its own — provide credentials or datasets if you need live data; (2) Do not paste sensitive credentials or private documents into chat; (3) Treat any automatically generated lists (dealer contacts, pricing, certification costs) as starting points — verify with local sources and legal/regulatory counsel; (4) If you expect integrated API lookups (Statista, SEMrush, GoodsFox), plan how to supply API keys or run those lookups externally and feed results into the skill.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match the instructions: it is a market-analysis consultant for overseas auto expansion. One minor mismatch: the SKILL.md repeatedly references paid/proprietary data sources and tools (Statista, SimilarWeb, SEMrush, GoodsFox, Google Trends, etc.) and implies use of them, but the skill declares no credentials or installs. This is explainable (the agent can instruct the user how to collect or interpret such data), but it cannot fetch paid/private data autonomously without the user providing access.
Instruction Scope: okThe runtime instructions stay within market-analysis scope: ask structured questions, build funnel-based screening, request data collection for country scoring, and produce reports. The instructions do not direct the agent to read system files, access unrelated environment variables, or exfiltrate data to unexpected endpoints.
Install Mechanism: okNo install spec and no code files (instruction-only). This minimizes disk write/execution risk and is consistent with a consultancy-style skill.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. However, if a user expects the agent to retrieve live/proprietary data from the named services, those services typically require API keys or paid accounts; the SKILL.md does not request nor explain how to provide such credentials, which may lead to the agent producing estimates or asking the user to supply data.
Persistence & Privilege: okThe skill does not request always:true, does not modify system or other skills, and has no declared persistence or elevated privileges.