Back to skill
Skillv1.0.0
ClawScan security
retire_age · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 7:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it runs a bundled Python script to compute retirement age, requests no secrets, and its only unusual dependency is the 'uv' runner which is used in the SKILL.md examples.
- Guidance
- This skill runs a local Python script included in the package to compute retirement dates and does not request credentials or perform network activity. Before installing, note that SKILL.md expects a 'uv' runner (installed via Homebrew); if you prefer not to install that package you can run the script directly with python3 (e.g., python3 scripts/calculate_age.py --birth-year ...). If you will install the 'uv' brew formula, confirm the formula's origin (Homebrew/core or a trusted tap) to ensure you are not installing an unexpected package. Otherwise, the skill appears coherent and low-risk.
Review Dimensions
- Purpose & Capability
- noteName/description match the included Python script and example usage. The only minor oddity is that the skill requires the 'uv' binary to run the script (SKILL.md uses 'uv run'), whereas the payload is a simple Python script that could be executed with python3 directly. This is somewhat unnecessary but not malicious.
- Instruction Scope
- okSKILL.md instructs running the local script with command-line arguments. The script only reads the provided arguments, validates them, computes results, and prints JSON. It does not read other files, environment variables, or make network calls.
- Install Mechanism
- okInstall spec is a Homebrew formula for 'uv' which is a standard package manager. No downloads from arbitrary URLs or archive extraction are present. The install is proportional to the stated requirement (the runner binary).
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The code does not access environment secrets. Credential access appears proportionate (none required).
- Persistence & Privilege
- okSkill is not always-enabled, does not request elevated or persistent privileges, and does not modify other skills or system-wide configurations. Autonomous invocation is allowed by default but is normal for skills.