Back to skill
Skillv1.0.0
ClawScan security
China Lighting Sourcing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 5:22 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose: it is a read-only, data-backed sourcing guide with no unexpected network calls, credential requests, or privileged install steps.
- Guidance
- This skill appears internally consistent and low-risk: it only reads bundled data.json and exposes helper functions from do.py. Before installing, consider provenance and accuracy (the homepage/source is missing and the owner ID is unknown), and review data.json if you need to confirm claims or ensure no sensitive/personal data is present. Because the skill can be invoked by the agent, be aware it can be called autonomously, but it does not request credentials or perform network I/O.
Review Dimensions
- Purpose & Capability
- okName/description (China lighting sourcing) align with included assets: SKILL.md, data.json (industry/regional data) and do.py (read-only accessors). There are no environment variables, external credentials, or unrelated binaries requested.
- Instruction Scope
- okSKILL.md describes using the provided functions to query cluster- and subsector-level data. The code implements only local reads from data.json and returns structured data; it does not read unrelated files, environment variables, or instruct network transmissions.
- Install Mechanism
- okNo install spec (instruction-only skill with bundled code/data). Nothing is downloaded or extracted at runtime; all logic and data are included in the package.
- Credentials
- okThe skill requires no environment variables or credentials. There are no requests for secrets or access to unrelated config paths; behavior is limited to local data access.
- Persistence & Privilege
- okalways is false and disable-model-invocation is false (normal). The skill does not modify other skills or system settings and has no persistent installation actions beyond providing its bundled files.