productivity-bot Security Report — Low Risk | ClawSafe

20 /100

productivity-bot

Automation bot for productivity tasks including data processing, scheduled notifications, and workflow optimization.

SKILL.md documents a productivity bot with vague feature descriptions but contains no executable code, scripts, or dependencies, making direct risk minimal though documentation is insufficient.

Skill Nameproductivity-bot

Duration35.9s

Enginepi

✓

Safe to install

Do not deploy this skill until actual implementation code (scripts, modules) is provided and reviewed. Request the full codebase and any dependency manifests before use.

Findings 3 items

Severity	Finding	Location
Medium	No allowedTools declared in SKILL.md Doc Mismatch The SKILL.md frontmatter does not include an allowedTools declaration. Without this, the inference engine cannot map declared permissions, and no baseline for comparison exists. `No allowedTools field in frontmatter` → Add a proper allowedTools declaration to SKILL.md frontmatter specifying exactly which tools the skill may use (e.g., Read, Write, Bash, WebFetch).	`SKILL.md:1`
Medium	Feature claims with no implementation Doc Mismatch SKILL.md describes features (CSV/Excel processing, scheduled tasks, email alerts, webhooks) but provides no code, scripts, or manifests. This makes it impossible to verify the stated functionality or detect hidden behavior. `Auto-process CSV/Excel files, Daily reminders, Email alerts, Custom webhooks` → Request the full implementation codebase. Do not approve or deploy based solely on documentation.	`SKILL.md:1`
Low	API keys mentioned without usage transparency Doc Mismatch SKILL.md lists 'Various API keys' under Requirements but provides no detail on which APIs are used, how credentials are stored, or whether they are exfiltrated. `Various API keys` → Specify which APIs are required and how credentials are handled. Avoid using hardcoded credentials.	`SKILL.md:43`

Resource	Declared	Inferred	Status
Filesystem	`NONE`	`NONE`	—
Network	`NONE`	`NONE`	—
Shell	`NONE`	`NONE`	—
Environment	`NONE`	`NONE`	—
Skill Invoke	`NONE`	`NONE`	—
Clipboard	`NONE`	`NONE`	—
Browser	`NONE`	`NONE`	—
Database	`NONE`	`NONE`	—

File Tree

1 files · 830 B · 43 lines

Markdown 1f · 43L

└─ 📝 SKILL.md Markdown 43L · 830 B

Security Positives

✓ No executable code present — no direct malicious behavior possible from static analysis alone

✓ No suspicious IOCs (IOCs array empty)

✓ No external network indicators or base64-encoded content observed

✓ No credential harvesting or shell execution patterns detected

Scan Report

Findings 3 items

File Tree

Security Positives