Skillv1.0.0

ClawScan security

French Business Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 5:00 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions and requirements are generally consistent with a French business-assistant; the only noteworthy mismatch is that it declares curl as a required binary despite no runtime instructions using it—otherwise it is instruction-only and asks the user to supply business data in USER.md/MEMORY.md which is proportionate to its purpose.
Guidance: This skill appears to do what it says: draft emails, create invoices/devis, and prepare client messages in French using the provided templates. Before installing: 1) ask why 'curl' is declared as required — if you don't use or trust it, prefer not to grant execution environment access to extra binaries. 2) Consider where USER.md/MEMORY.md (and their contents like SIRET, IBAN, TVA) will be stored and who/what can read them; avoid putting bank details or other secrets into memory or files that are not encrypted or access-controlled. 3) Verify the author's GitHub repo (metadata links to github.com/yerrochdi/french-business-assistant) for source-of-truth and updates. 4) Keep the rule 'always show drafts before sending' — manually review any outgoing messages and avoid letting the agent send messages autonomously. If you want higher assurance, request the repository or a code-based implementation so you can review exact behavior and any network calls.

Review Dimensions

Purpose & Capability: noteName/description describe email drafting, invoices, relances and prospection — all supported by the SKILL.md templates and rules. However the declared required binary 'curl' is not referenced anywhere in the instructions, which is an odd minor inconsistency (no other unexpected credentials, binaries, or config paths are requested).
Instruction Scope: okSKILL.md is instruction-only and stays within its stated purpose: drafting emails, generating invoices/devis, relances, briefs and prospection templates. It includes safety rules (always show drafts, do not store personal data without consent, GDPR note). It instructs the user to populate USER.md/MEMORY.md with business details — appropriate for generating personalized documents.
Install Mechanism: okNo install spec and no code files — lowest-risk pattern (instruction-only). Nothing is downloaded or written during install by the skill itself.
Credentials: noteThe skill requests no environment variables or credentials, which is appropriate. It does recommend storing sensitive business data (SIRET, IBAN, TVA, address, signature) in USER.md or MEMORY.md; while these are necessary for invoicing, storing such sensitive data in agent memory/files has privacy implications and the user should confirm how that data is stored, who can access it, and retention policies.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation allowed — standard settings. The skill does not request persistent system-wide privileges or modify other skills' configurations.