compliance-officer

[Skill Scanner] Natural language instruction to download and install from URL detected BENIGN with moderate risk due to external URL fetching for regulatory references. The skill’s footprint is coherent with its stated purpose and does not display clear malicious behavior or credential handling beyond typical content auditing activities. LLM verification: The SKILL.md fragment describes a legitimate-seeming compliance assistant with appropriate capabilities for reviewing copy, emails, and privacy policies. There is no direct evidence of malicious code in the provided fragment. However, the use of an npx/clawhub install command (download-and-execute pattern) and lack of any documented data handling or telemetry policy present a moderate supply-chain and data-exfiltration risk. I recommend auditing the linked GitHub repository and the clawhub insta