Back to skill
Skillv0.1.0
ClawScan security
Rd Cost · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 12:46 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only R&D cost estimation skill and its requirements and instructions are internally consistent with its stated purpose.
- Guidance
- This skill appears coherent and low-risk because it is instruction-only and asks for only project parameters. Before installing or using it: 1) Be careful about uploading sensitive payroll or personnel files—only share what’s necessary. 2) Remember the outputs are estimates; validate results with your finance/accounting team before using for filings or formal budgets. 3) If you intend to feed spreadsheets, confirm how the platform will provide file contents to the skill (the SKILL.md claims Excel/CSV support but contains no parsing code). 4) If you need tax/legal compliance, consult a qualified advisor—this skill provides guidance but is not a substitute for professional advice.
Review Dimensions
- Purpose & Capability
- okName/description (R&D cost evaluation, budget estimation, ROI) align with the instructions: collecting project parameters, applying clear formulas, and producing a templated report. The skill does not request unrelated credentials, binaries, or config paths.
- Instruction Scope
- noteSKILL.md stays within scope: it specifies required input fields, explicit calculation formulas, output templates, and when to prompt for missing parameters. It mentions support for Excel/CSV inputs and Word/Excel/Markdown outputs but does not include parsing code or specify how file uploads are handled by the platform — this is a functional gap but not a security issue in itself. The instructions do not ask the agent to read system files, environment variables, or send data to external endpoints.
- Install Mechanism
- okNo install spec and no code files (instruction-only). Nothing is written to disk or downloaded, which minimizes install-time risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The declared inputs (project type, headcount, salaries, etc.) are proportional and necessary for cost estimation.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent presence or modification of other skills/configurations. Autonomous invocation is possible (platform default) but is not combined with other concerning privileges.