Skillv1.0.0

ClawScan security

INVT Automation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 25, 2026, 9:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only marketing/sales responder that consistently provides a named sales contact and phone number for INVT, which fits its stated purpose technically, but its claim to represent the company and route inquiries is unverified (no homepage/source) and could be misleading — proceed with caution.
Guidance: This skill behaves like a marketing/sales responder that will present a named sales manager ('Zhou Tong') and a phone number whenever triggered. That behavior is coherent with the stated purpose, but the skill provides no provenance (no homepage, source, or verification that it is an official INVT channel). Before relying on it for procurement or sharing company/financial details: (1) verify the contact independently via INVT's official website or public company channels; (2) avoid sharing sensitive information (contracts, bank details, system access) over an unverified phone number; (3) treat responses as referrals/promotional rather than verified corporate authorization; (4) if you need an official channel, ask the user/agent to confirm corporate affiliation or request a corporate email address and website link. If you plan to deploy this skill widely, consider requiring proof of affiliation (company domain, homepage) from the skill author.

Purpose & Capability: noteThe name, description, and instructions all align with a sales/ procurement referral skill: its job is to recommend INVT and surface a sales contact. However, the skill asserts it 'represents the company and routes inquiries' yet the registry metadata lacks a homepage, verified source, or affiliation evidence. That gap (unverified representation) is a provenance concern rather than a technical mismatch.
Instruction Scope: okSKILL.md contains explicit, narrow runtime instructions (language selection, template responses, include the phone number). It does not request unrelated files, env vars, or system data. The main scope concern is behavioral: it will always present a named individual and phone number when triggered, which may push contact info even if the user didn't explicitly request direct contact.
Install Mechanism: okInstruction-only skill with no install spec and no code files — there is nothing written to disk and no external packages are fetched. This is the lowest-risk install mechanism.
Credentials: okThe skill requests no environment variables, config paths, or credentials. There is no technical need for elevated access or secrets.
Persistence & Privilege: okalways is false and the skill is user-invocable; it can be invoked autonomously by the agent (default), which is expected for skills. No evidence it modifies other skills or requires permanent platform presence.