Back to skill
Skillv1.0.0
ClawScan security
🇪🇺 北欧市场政策查询Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 10:58 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are internally consistent with a read-only policy lookup assistant: it declares no credentials or installs and the SKILL.md contains only usage and calibration notes.
- Guidance
- This skill appears coherent and low-risk, but note two practical caveats: (1) SKILL.md is vague about which online sources or network calls it will use — if you care about data provenance or sensitive query content, test it first with non-sensitive examples and check network/logs to see where queries go; (2) source/homepage are unknown and the author email is a personal address, so prefer skills from known publishers for production use. Before installing, verify via your platform's audit/logging that the skill does not request credentials at runtime and review any runtime network requests if possible. If you need stronger assurance, ask the publisher for a list of data sources and an explanation of the 'quick calibration' step.
Review Dimensions
- Purpose & Capability
- okName, description and declared requirements line up: a market-policy lookup for Nordic / ANZ regions that claims 'no API key' and requests no env vars, binaries, or config paths — this is proportionate.
- Instruction Scope
- noteSKILL.md is an instruction-only doc that gives examples and mentions an automatic 'quick calibration' on first load; it does not instruct the agent to read local files, access credentials, or call any specific external endpoints. However, it is vague about what data sources or network calls the agent will use at runtime (web scraping, public APIs, or local caches), and 'automatic calibration' implies runtime activity whose scope is unspecified.
- Install Mechanism
- okNo install spec or code files are included (instruction-only), so nothing is written to disk or downloaded as part of the skill itself — lowest install risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. That matches its stated 'no API key' design and is proportionate for a lookup/reporting skill.
- Persistence & Privilege
- okalways is false and there is no indication the skill modifies other skills or requests elevated/system-level privileges. Autonomous invocation is allowed by default but is not combined with other privilege concerns here.