Skillv0.1.0

ClawScan security

Grupo Venus · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 2:16 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are coherent with its stated purpose: it uses curl to interact with grupovenus.com, manages person records in a local memory file, and requests no external credentials or unusual installs.
Guidance: This skill appears to be what it claims: a conversational frontend that scrapes grupovenus.com and keeps person entries in ~/.openclaw/workspace/memory/grupo-venus.json. Before installing or using it, consider: (1) it stores birthdates, times, and locations locally — treat that as sensitive personal data and remove the file if needed; (2) the skill relies on ephemeral cookie jars and will interact with a third‑party website (unofficial use of their free tier) — review the site's terms if that matters to you; (3) city names must be encoded in Latin‑1 as documented (follow the instructions exactly to avoid incorrect coordinates); (4) there are no hidden credentials or external endpoints in the skill, but the agent will run curl commands on your behalf so only proceed if you trust the skill and the target site.

Purpose & Capability: okName/description match the instructions: all network calls target grupovenus.com and the workflow (cookie-based session, city lookup, POSTing person data) is consistent with fetching charts and reports. Declared dependency on curl (and examples using python3) is appropriate.
Instruction Scope: noteSKILL.md instructs the agent to read/write a local memory file (~/.openclaw/workspace/memory/grupo-venus.json), create temporary cookie jars, and run curl commands with specific Referer and encoding requirements. These actions are needed for the described site interactions but do involve storing personally identifiable birth data locally and creating session cookies; this is a privacy consideration rather than an incoherence.
Install Mechanism: okInstruction-only skill with no install spec and no downloaded code. This is the lowest-risk install posture. Examples assume curl and optionally python3 are available on PATH.
Credentials: okNo environment variables, secrets, or unrelated credentials are requested. All data access described is limited to the local memory path and the target site (grupovenus.com).
Persistence & Privilege: okalways:false and no installation hooks. The skill stores its own person data in a local memory file (expected behavior) and does not request elevated or cross-skill privileges.