Skillv1.0.0

ClawScan security

Survival Analysis (KM) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 6:45 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (Kaplan–Meier survival analysis) and its files, dependencies, and runtime instructions are proportionate to that purpose, but the provided main.py was partially truncated so a full review is recommended before trusting it with sensitive data.
Guidance: This package is coherent with its stated purpose and uses appropriate libraries. Before installing/using: (1) run the script in an isolated sandbox (non-production) with non-sensitive test data; (2) review the full scripts/main.py (the provided copy was truncated in the bundle you gave me) to confirm there are no network calls, hidden subprocess invocations, or filesystem accesses beyond the declared input/output; (3) pin dependency versions in requirements.txt to reduce supply-chain risk; (4) ensure the output directory and input paths are validated/sandboxed to avoid accidental path traversal or overwriting important files; and (5) if you will analyze real clinical data, get a biostatistician to review results and ensure you meet privacy/regulatory requirements.

Review Dimensions

Purpose & Capability: okName/description, SKILL.md, requirements.txt, sample data, and scripts/main.py all align with a survival-analysis tool. Declared dependencies (lifelines, pandas, numpy, matplotlib, seaborn) are appropriate and expected.
Instruction Scope: noteThe SKILL.md instructs running the included Python script with a CSV input and writing outputs to a results directory — this matches the code. Minor inconsistencies in SKILL.md (parameter table flags: e.g., `--group` and `--risk-table` marked as required in the table while elsewhere optional) are documentation issues but do not indicate malicious intent. The doc requests input-path validation and restricting output to workspace, but the visible code performs only basic path existence and CSV validation; there is no explicit sanitization of output path nor explicit enforcement against `../` traversal in the shown code.
Install Mechanism: okNo install spec; skill is instruction-only and ships a requirements.txt for pip. This is standard for Python scripts and is low risk compared to downloading arbitrary binaries from unknown hosts.
Credentials: okThe skill requests no environment variables or credentials. Dependencies are reasonable for the stated purpose. There are no signs of unrelated credential access in the provided code.
Persistence & Privilege: okalways:false and no install hooks were provided. The skill does not request persistent/privileged presence or modification of other skill configs based on the supplied files.