Back to skill
Skillv2.0.1
ClawScan security
Trivia Quiz · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:53 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with a local trivia/flashcard CLI: it stores data locally, requires no credentials or network access, and its code matches the documented commands; the only minor mismatch is the SKILL.md omission of Python 3 as a runtime requirement.
- Guidance
- This skill appears to do what it claims: a local trivia/flashcard CLI that writes history and note logs to ~/.local/share/trivia-quiz/ (or $TRIVIA_QUIZ_DIR if you set it). Before installing/running: 1) Note that scripts/trivia.sh calls python3 — ensure you have Python 3 installed (SKILL.md omitted this). 2) If you want privacy, set TRIVIA_QUIZ_DIR to a directory you control and check file permissions: history.log and data.log are plaintext. 3) Review the two scripts (they are short and readable) or run them in a restricted environment if you prefer. 4) No network access or credentials are used by the skill, so there is no hidden exfiltration in the provided code.
Review Dimensions
- Purpose & Capability
- noteName/description describe a local trivia/learning tool and the provided scripts implement that functionality. One inconsistency: SKILL.md lists Bash ≥4 and coreutils but does not mention Python 3, yet scripts/trivia.sh invokes python3. Other than that, required files and behavior (local data storage under TRIVIA_QUIZ_DIR) align with the stated purpose.
- Instruction Scope
- okRuntime instructions and examples map to the shipped scripts. The SKILL.md and scripts only read/write files under the skill data directory (default ~/.local/share/trivia-quiz/), use standard utilities (date, wc), and print content; they do not reference unrelated system paths, credentials, or external endpoints. No network calls or unexpected data transmission are present.
- Install Mechanism
- okNo install spec (instruction-only) is present, which keeps the installation surface minimal. Code files are included in the package but there is no download-from-URL or archive extraction step. This is low-risk from an install mechanism perspective.
- Credentials
- okThe skill requires no credentials or special environment variables. It optionally respects TRIVIA_QUIZ_DIR and XDG_DATA_HOME/HOME for data location. There are no secret-like environment variables requested, nor access to unrelated configs.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system-wide settings. It creates and writes to its own data directory (history.log and data.log) in the user's home area, which is expected for an app that stores notes and history.