Skillv1.0.0

ClawScan security

Product Requirement Miner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 21, 2026, 4:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose: it includes a harmless CSV-reading helper, textual instructions for classification/clustering/reporting, requests no credentials, and has no hidden network endpoints or risky install sources.
Guidance: This skill appears to do what it claims: it ships a safe CSV-reading script and templates and gives step-by-step instructions for analysis. Before installing/running: (1) be aware the SKILL.md asks you to pip install chardet which will change your Python environment; run it in a virtualenv if you want isolation; (2) classification and clustering logic are described but not implemented in code — the agent or your model will perform those steps, which may send review text to external LLMs or services; avoid feeding sensitive/private data unless you trust that destination; (3) review scripts/read_csv.py yourself (it is short and benign) and ensure you run the skill on non-sensitive sample data first. Overall the package is coherent and does not request excessive privileges or secrets.

Purpose & Capability: okName/description align with the files provided. The only shipped executable code (scripts/read_csv.py) reads CSVs and writes raw_reviews.txt — exactly what you'd expect for the first step of the described pipeline.
Instruction Scope: noteSKILL.md defines end-to-end processing (cleaning, classification, clustering, roadmap generation). However, only a CSV-reading script is provided; the classification, clustering and roadmap generation are described as procedures/templates but have no packaged implementation. The instructions do not ask the agent to read unrelated files, environment variables, or contact external endpoints. Note: running the skill may cause the agent to send review text to whatever LLM or external services the agent normally uses — review that behavior if reviews contain sensitive data.
Install Mechanism: noteNo install spec in registry; this is instruction-only. The SKILL.md tells users to run 'pip install -r requirements.txt' (requirements.txt lists only chardet). This is low risk but will modify the Python environment when installed.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill requires no secrets and only reads the CSV file provided by the user.
Persistence & Privilege: okalways is false and the skill does not request system-wide configuration changes. It only writes output files in the working directory as described in SKILL.md.