Back to skill
Skillv1.0.6
ClawScan security
生日提醒 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 5:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required inputs are consistent with a local birthday reminder + notifier; it requests no unrelated credentials or installs and only uses network calls to send notifications to channels the user configures.
- Guidance
- This skill appears to do what it says: calculate birthdays (solar/lunar) and send notifications to channels you configure. Before installing: (1) inspect notify.json and keep tokens/webhook URLs secret (file permissions, don't commit to public repos); (2) test with --dry-run and run the 'list' and 'check' commands to validate behavior; (3) if you schedule automatic runs, ensure the runtime environment only has network access to endpoints you trust (firewall rules or run in an isolated container if needed); (4) note lunar conversions are limited to 1900–2099 as documented. If you need higher assurance, review the scripts locally or run them in a sandboxed environment.
Review Dimensions
- Purpose & Capability
- okName/description match the provided scripts and docs. The Python scripts implement reminder calculation (solar/lunar) and multi-channel notification dispatch, which is coherent with the stated purpose.
- Instruction Scope
- okSKILL.md directs the agent/user to run the included Python scripts and to provide local JSON configs. Instructions only reference the birthday and notify config files and official Automation scheduling; they do not request arbitrary system files or unrelated environment variables.
- Install Mechanism
- okNo install spec or external downloads. The repository contains local Python scripts to be run directly. No network-based install or extracted archives are used by the skill itself.
- Credentials
- noteThe skill requests no environment variables; notification channel credentials are supplied in notify.json (e.g., Telegram bot_token/chat_id, webhook URLs). This is appropriate for a notifier, but those secrets live in a file so users should protect that file (permissions, not checked into VCS).
- Persistence & Privilege
- okalways is false and the skill does not modify system or other skills' configs. It only runs as a local script and relies on the official Automation skill for scheduling.