Back to skill
Skillv1.0.0
ClawScan security
Timemap · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 21, 2026, 10:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its description: a Python CLI wrapper that reads a public timemap.co.il API, caches results in the system temp directory, and exposes search/timeline/nearby functionality — it requests only python3 and no credentials.
- Guidance
- This skill appears to do what it claims: a local Python CLI that queries timemap.co.il's public API and caches results in the system temp directory. Before installing, verify the GitHub source if you want stronger provenance, ensure you are comfortable allowing outbound network access to timemap.co.il (the skill needs it to fetch data), and note that it stores a non-sensitive cache file in the OS temp directory. No credentials are required and no obvious exfiltration or privileged behavior is present.
Review Dimensions
- Purpose & Capability
- okName/description match the included code and instructions. The skill only requires python3 (declared) and the code fetches public data from timemap.co.il as described; there are no unrelated environment variables, binaries, or config paths.
- Instruction Scope
- okSKILL.md instructs running the included Python script with specific commands. The runtime instructions and code limit themselves to fetching the public API, caching results, formatting output, and computing distances. They do not read arbitrary user files, other skills' config, or hidden credentials.
- Install Mechanism
- okNo install spec (instruction-only) and the shipped code is a standalone Python script using only the standard library. Nothing is downloaded from untrusted URLs or extracted to disk by an installer beyond the provided script.
- Credentials
- okNo environment variables or credentials are requested. The script uses a User-Agent header and contacts only the public timemap.co.il API (and produces Google Maps links for coordinates). No secrets are needed or accessed.
- Persistence & Privilege
- okThe skill is not always-enabled and does not modify other skills or system-wide agent configuration. It writes a cache file to the system temporary directory (CACHE_FILE in tempfile.gettempdir()) — a reasonable, limited persistence for caching only public data.