Skillv1.0.0

ClawScan security

Jewish Parsha Summary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 27, 2026, 7:30 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (fetching parsha info from Hebcal and text from Sefaria), request no credentials, and do not attempt unexpected network calls or installs.
Guidance: This skill appears to do what it says: it queries Hebcal to detect the parsha and pulls text from Sefaria, requires internet, and asks for no credentials. Before installing, note a few functional caveats: (1) parsha name matching in the included script is case-sensitive despite SKILL.md saying case-insensitive—pass names using the exact capitalization or improve normalization; (2) full Hebrew text is only printed when using --json (non-JSON output only indicates Hebrew is available); (3) the verse count is the length of the top-level returned list and may not equal literal verse counts in all cases. If you need different behavior (case-insensitive names, inline Hebrew in non-JSON mode, different summary algorithm), request those changes or review/modify the script locally. Otherwise the skill's network calls are limited to the documented public APIs and there are no obvious security red flags.

Purpose & Capability: okThe SKILL.md claims to detect this week's parsha via Hebcal and fetch text from Sefaria; the included Python script implements exactly those calls (https://www.hebcal.com and https://www.sefaria.org/api). No unrelated services, credentials, or binaries are requested.
Instruction Scope: noteOverall the SKILL.md commands and examples match the script's CLI. Minor inconsistencies: SKILL.md states accepted parsha names are case-insensitive, but the script's parsha_map lookup is case-sensitive (so e.g., 'bereshit' would not match). Also SKILL.md advertises an optional --hebrew flag; the script only prints a notice about Hebrew availability in non-JSON mode and only includes full Hebrew text in --json output (SKILL.md mentions Hebrew is truncated in non-JSON mode, but examples imply inclusion). These are functional mismatches, not security issues.
Install Mechanism: okInstruction-only skill with a small Python script; no install spec, no external package downloads, and no archive extraction. No elevated install risk present.
Credentials: okThe skill declares no required environment variables or credentials and the code does not read any environment secrets or config paths. Network access is limited to Hebcal and Sefaria per its purpose.
Persistence & Privilege: okSkill does not request persistent/always-on presence (always:false). It does not attempt to modify other skills or system configuration.