Back to skill
Skillv1.0.0
ClawScan security
Zhongguancun Signal Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 27, 2026, 2:26 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated purpose (public-signal scanning and lead-generation for industry collaboration) and it does not request unexplained credentials, installs, or system access.
- Guidance
- This skill appears internally consistent and only uses public-signal scanning and internal scoring. Before installing, confirm that your agent/bot has safe web/browsing permissions and that you are comfortable allowing it to perform web searches on behalf of the agent. The skill will not request credentials, but if you ask it to research private/internal companies or share private documents, avoid providing sensitive credentials or proprietary files. Check the seed-list and scoring rules to ensure they match your priorities and update the company list if you need different monitoring targets. Finally, verify sources cited in reports — the skill automates discovery but may surface noisy or false-positive signals that should be validated before outreach.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md: it describes scanning public signals (financing, bids, product releases, publications) and ranking leads. There are no unexpected environment variables, binaries, or install steps requested that would be unrelated to this purpose.
- Instruction Scope
- okInstructions are limited to searching public signals, applying a scoring rubric, and producing a report. The skill does not instruct reading local files, accessing unrelated credentials, or sending data to external endpoints beyond normal web searches. It does rely on a 'search tool' or web access which is expected for this function.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files to write to disk, minimizing install-time risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The requested access (web/search capability) is proportionate to performing public-signal monitoring.
- Persistence & Privilege
- okalways:false and normal model invocation settings. The skill does not request persistent elevated privileges or to modify other skills/config; autonomous invocation is allowed by platform default but is not combined with additional concerning capabilities.