Back to skill
Skillv2.0.0
ClawScan security
Flashcard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:59 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and requirements are coherent with a local flashcard/spaced-repetition tool; it stores data locally and does not request credentials or perform network exfiltration.
- Guidance
- This skill appears to be a local flashcard tool. Before installing/using: (1) review the scripts yourself — they are plain shell scripts — to confirm you’re comfortable executing them; (2) note that data is stored under $FLASHCARD_DIR or $XDG_DATA_HOME/$HOME/.local/share/flashcard (history.log and data.log). Avoid putting sensitive personal data into cards if you don't want it persisted. If you prefer a different storage location set FLASHCARD_DIR. There are no network calls or credential requests in the provided files, so the main risk is local data persistence rather than exfiltration.
Review Dimensions
- Purpose & Capability
- okName/description (spaced repetition, decks) match the included scripts and SKILL.md. The two shell scripts implement local deck/quiz/review/export behaviors consistent with the stated purpose. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okSKILL.md and scripts limit actions to generating flashcards, scheduling, quizzes, exporting formats, and local logging. The scripts read/write only to a user-local data directory (default: $XDG_DATA_HOME or $HOME/.local/share/flashcard). There are no instructions to read unrelated system files, network endpoints, or other credentials.
- Install Mechanism
- okNo install spec; this is instruction + bundled shell scripts. Shell scripts are plain text and will run locally if executed. No downloads, package installs, or external archives are specified.
- Credentials
- okThe skill declares no required environment variables or secrets. The scripts accept an optional FLASHCARD_DIR to change storage location — reasonable and proportionate for a local data store. No sensitive vars (API keys, tokens) are requested.
- Persistence & Privilege
- okalways is false; the skill is user-invocable and can be called autonomously (platform default). It creates and uses its own data files under the user's home directory and does not modify other skills or system-wide configs.