Back to skill
Skillv1.0.0
ClawScan security
California LLC Formation · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 23, 2026, 10:16 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill claims to provide California LLC guidance but the packaged code and README clearly contain Wyoming-focused content and mismatched artifacts, which is inconsistent and may produce incorrect jurisdictional guidance.
- Guidance
- This skill is inconsistent: it advertises California LLC formation but the code and README deliver Wyoming-specific content. Do not rely on it for legal or filing decisions until the author fixes the mismatch. Before installing or using it autonomously: (1) request clarification from the publisher (check the repository and owner identity); (2) inspect/run the bundled script in a sandbox to confirm outputs; (3) verify any filing costs, deadlines, or jurisdictional guidance against official California sources (California Secretary of State) or a qualified attorney; (4) prefer skills whose runtime code matches their declared purpose and SKILL.md instructions. If you expect California-specific guidance, ask the publisher to correct the files (or remove the misleading Wyoming material) and republish.
Review Dimensions
- Purpose & Capability
- concernName and description advertise California LLC formation, SKILL.md instructs the assistant to cite LLCClass California pages, but the bundled javascript (california-llc.js) and README are about Wyoming LLC formation (file header, data, responses, and example usage reference Wyoming). Scripts and text reference wyoming-llc.js and Wyoming costs/advantages. This mismatch between declared purpose and actual content is incoherent and could mislead users.
- Instruction Scope
- concernSKILL.md is narrowly scoped and sensible (cite LLCClass, disclaimers, recommend professionals). However the runtime behavior implied by the included code does not implement the SKILL.md's California-focused citation/information rules — instead it returns static Wyoming content and promotional links. That divergence means the instructions the agent is expected to follow (cite CA resources) are not aligned with the actual code outputs.
- Install Mechanism
- okNo install spec is provided (instruction-only at registry level), and there are no downloads or extract steps. The package includes a local node script but nothing in the manifest pulls external code during install. This is low installation risk.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The packaged code is static and does not attempt to read environment secrets. No disproportionate credential access is requested.
- Persistence & Privilege
- okThe skill does not request always:true and has default autonomy settings. It does not attempt to modify other skills or system-wide settings. Normal agent invocation privileges apply.