Skillv1.0.0

ClawScan security

点教 Amulett · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 3:33 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (guided daily meditation/reflection); it contains only local, non-networked content and a simple console script, with no requested secrets or risky installs.
Guidance: This skill appears benign and does what it says: provides two local reference texts and a small, self-contained Python script that prints a daily mantra and reflection question. Before installing, consider: (1) provenance — the source/homepage is unknown, so if you require a maintained or auditable skill prefer one with a known author or repository; (2) feature expectations — SKILL.md mentions reminders and log recording, but the package lacks scheduling or storage code, so you will need to wire those up (or grant additional capabilities) if you want automatic reminders or persisted journals; (3) future updates — watch for later versions that might add network, credential, or install steps. If you only want local meditation prompts and texts, this skill is lightweight and safe to use.

Review Dimensions

Purpose & Capability: noteThe name/description (daily meditation, reflection, reading classics, mantra) align with the included files: two reference texts and a small daily_practice.py that prints a mantra, a question, and a symbol. One minor mismatch: SKILL.md advertises features like "每日提醒练习" (daily reminders) and "反思日志记录" (reflection log recording), but there is no implementation for scheduling reminders or persisting logs—only a console script that prints a daily prompt.
Instruction Scope: noteSKILL.md contains only benign, scope-limited instructions for meditation triggers and pointers to local reference files. It does not instruct the agent to read system files, access environment variables, or call external endpoints. However, the instructions are higher-level (mentioning reminders and logging) while the included script only provides a one-off console output; the runtime behavior is therefore more limited than the advertised feature list.
Install Mechanism: okNo install specification is present (instruction-only skill with an included script). Nothing is downloaded or written to disk by an installer. The included Python script is small, readable, and self-contained with no network or subprocess usage.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The bundled code does not access secrets or external services, so there are no disproportionate credential requests.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable only. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default on the platform, which is normal; this skill does not introduce extra persistence or privileges.