Back to skill
Skillv2.0.1
ClawScan security
Partycraft · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:48 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested environment are coherent with a local CLI event-planning tool that stores data under ~/.partycraft; nothing requests unrelated credentials, network access, or elevated privileges.
- Guidance
- This skill appears coherent and only stores data locally in ~/.partycraft/events.json. Before installing, confirm you are comfortable storing event details unencrypted in your home directory and that python3/bash are available. If you want stronger privacy, back up or encrypt the ~/.partycraft directory. If you see any unexpected network activity after running the skill, stop and investigate, but none is present in the source.
Review Dimensions
- Purpose & Capability
- okName/description (event planning) match the delivered functionality: a CLI that creates events, budgets, tasks, guests, timelines, and checklist templates. The only required runtimes (bash, python3) are appropriate and documented.
- Instruction Scope
- okSKILL.md and the included script limit actions to local operations (printing to stdout and reading/writing ~/.partycraft/events.json). There are no instructions to read unrelated system files, access network endpoints, or exfiltrate data. The documentation and script are consistent.
- Install Mechanism
- okNo install spec or remote downloads are used; the skill is instruction-only with a bundled script. That minimizes installation risk.
- Credentials
- okThe skill requests no environment variables or credentials. It writes only to a single directory in the user's home (~/.partycraft), which is proportionate to storing user event data. Users should note their event data is stored unencrypted on disk.
- Persistence & Privilege
- okThe skill is not always-enabled and does not attempt to modify other skills or agent-wide configuration. Autonomous invocation is allowed by platform default but the skill itself does not request elevated persistence or system-wide changes.