Skillv2.0.0

ClawScan security

Study Plan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 17, 2026, 6:50 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with a local study-plan/CLI tool: it contains benign shell + Python scripts that generate plans and store data in a per-user data directory, requests no credentials, and has no network exfiltration or surprising behavior in the provided files.
Guidance: This skill appears to be a straightforward local study-plan generator. Before installing or running it, consider: (1) There is no automated installer; the SKILL.md shows a 'study-plan' command but only scripts are included — you'll need to place/rename them or run scripts directly. (2) The scripts will create files in your user data directory (STUDY_PLAN_DIR or ~/.local/share/study-plan) — inspect those files if you care about local storage. (3) There are no network calls or credentials requested in the provided files, which lowers risk. (4) If you want extra assurance, review the full Python portion (the manifest was truncated in the listing) and run the scripts in a sandbox or VM first. If you plan to let an agent run this skill autonomously, be aware it can execute the included scripts which will write local files — but there is no indication of data exfiltration or credential access.

Review Dimensions

Purpose & Capability: noteName/description = study-plan generator and the included scripts implement that functionality (plan/daily/review/pomodoro). Minor mismatch: SKILL.md shows usage as a 'study-plan' CLI, but there is no install spec or packaged executable named 'study-plan' — only scripts (scripts/script.sh and scripts/study.sh). That means the CLI shown in examples may require manual installation/renaming or platform wiring.
Instruction Scope: okSKILL.md instructions and the scripts' behavior stay within the stated purpose: generating study plans, schedules, pomodoro sequences, and simple local task listing. The scripts read/write only to a local per-user data directory (STUDY_PLAN_DIR or XDG_DATA_HOME/$HOME), and do not attempt to read unrelated system files or external credentials.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk, but the skill bundle does include executable scripts. If executed they will create files under the user's data directory. Because no automatic installer is declared, a user or agent would need to place/execute these scripts manually; that mismatch is worth noting but not malicious.
Credentials: okThe skill declares no required environment variables or credentials. The scripts honor an optional STUDY_PLAN_DIR env var and fall back to standard XDG_DATA_HOME/$HOME — this is proportionate for a local CLI that stores user data. No secrets or unrelated external service tokens are requested.
Persistence & Privilege: okThe skill does create and write to a per-user data directory (default: ~/.local/share/study-plan) and logs history there; this is expected for a productivity tool. always is false and the skill does not modify other skills or global agent configs.