Skillv1.0.0

ClawScan security

AI Revenue Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 20, 2026, 7:06 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is a small, local revenue-tracking skill that reads/writes local log and report files with no network access or credential requests; it's coherent overall but contains two implementations that use different log formats which can lead to inconsistent results if mixed.
Guidance: This skill appears local-only and coherent with its stated purpose, but review a few points before installing: - It includes two implementations (main.sh and main.py) that use different log formats: main.sh uses pipe-separated lines, main.py writes JSON lines. Use one implementation consistently or convert logs to a single format to avoid missing transactions in reports. - No network or credential access is requested, so it won't exfiltrate data by itself; still run it in a directory where writing logs is safe and back up any important files first. - package.json exists but there is no install step; you can ignore it or run scripts via the provided shell script. If you need only one implementation, consider removing the other to avoid accidental mixing. - If you plan to integrate this into broader automation, inspect concurrent-write behavior and add locking if necessary. Overall: safe to run locally with normal caution (inspect files and run in an isolated project folder).

Review Dimensions

Purpose & Capability: noteThe name/description (track and summarize income) matches the included scripts and files. Both a Bash (main.sh) and a Python (main.py) implementation are provided — that generally fits the stated purpose, but the two implementations write/read different log formats (main.sh writes pipe-separated lines, main.py writes JSON lines), which is disproportionate and can produce inconsistent reporting if both are used against the same log file.
Instruction Scope: noteSKILL.md instructs using main.sh for logging and reporting and references local files (logs/revenue.log, reports/daily_summary.md) only. The instructions do not request external files, environment variables, or network calls. Note: the repository also contains main.py (not referenced in SKILL.md usage examples) and mixing usage of main.sh and main.py will cause entries to be ignored by one or the other because of format mismatch.
Install Mechanism: okNo install spec and no downloads; this is instruction+scripts only. That is low risk and proportional for a small utility.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the code does not access any environment variables or external secrets. Requested resources are limited to creating local directories and files (logs/, reports/).
Persistence & Privilege: okSkill has no always:true flag and does not request elevated privileges or persist beyond its own files. It creates and writes to logs/ and reports/ within its directory only.