Skillv1.0.0

ClawScan security

Ddzaishot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 11:35 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The code and runtime instructions match the stated purpose (screen-scan card recognition, AI suggestions, optional automated mouse actions); nothing asks for unrelated credentials or external downloads.
Guidance: This skill appears to be what it says: it captures your screen, reads card images (using templates), keeps game state, suggests plays, and can optionally control the mouse to click in the game. Before installing/using: 1) Only run it when no sensitive windows are visible—it takes and saves screenshots to logs/. 2) Prepare templates/ as described and test in demo mode first; do not enable automatic play until you verify positions via calibration. 3) The skill uses pyautogui to perform clicks; be aware auto-mode can interact with any foreground UI (pyautogui.FAILSAFE is set, but treat with caution). 4) Dependencies are standard PyPI packages—install them in a virtual environment. 5) There are no network calls or credential requests. If you want extra assurance, run the code in a sandboxed environment (or inspect templates/logs directories) before granting it interactive control of your desktop.

Review Dimensions

Purpose & Capability: okThe name/description (斗地主牌局识别、记牌、AI出牌与可选的鼠标辅助) align with the provided code: screen capture and recognition (screen.py), AI decision logic (ai.py), game state (game.py/cards.py), and mouse automation (mouse.py). Required resources (templates/, logs/) and listed Python dependencies match the feature set.
Instruction Scope: okSKILL.md contains concrete, scoped commands (scan, suggest, demo, status) and instructs installing Python deps and preparing card templates. Runtime actions are limited to local screen capture, image template matching, simple OCR/heuristics, game state management, and local mouse control. The instructions do save screenshots to logs/ and require templates/ for recognition, which is documented.
Install Mechanism: okNo automated install spec is present; the skill is instruction/code-only. Dependencies are standard PyPI packages (opencv-python, numpy, pyautogui, pillow, mss, keyboard) listed in requirements.txt and SKILL.md. No downloads from arbitrary URLs or archive extraction are used.
Credentials: okThe skill requests no environment variables, no credentials, and accesses only local files/directories (templates/, logs/). There are no network endpoints or secrets required by the code.
Persistence & Privilege: notealways is false and the skill does not modify other skills or system-wide configs. However, it provides automated mouse control (pyautogui) and supports an AutoPlayer mode; because the platform allows autonomous invocation by default, combining autonomous invocation with automated input can have broader impact if enabled—this is expected for an auto-play assistant but worth user attention.