Back to skill
Skillv2.0.1
ClawScan security
Furniture · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 1:46 AM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its description: a small offline CLI tool that stores furniture data under ~/.local/share/furniture and does not request extra credentials or network access in the visible code.
- Guidance
- This skill appears to be a simple, offline CLI that stores data in ~/.local/share/furniture and does not ask for network access or credentials. Before installing, consider: 1) Inspect the rest of scripts/script.sh (the provided excerpt is consistent but longer file was truncated in the listing) to confirm there are no network calls (curl/wget/ssh) or execution of arbitrary remote code. 2) Note that entries are appended verbatim to log files — avoid entering or piping untrusted content if you are concerned about log-injection or malformed exports. 3) The tool will create and write files under your home directory; if you prefer, run it with limited filesystem permissions or in a controlled account. If you want extra assurance, run the script in a sandbox/container and review the full script for any hidden commands before adding it to your PATH.
Review Dimensions
- Purpose & Capability
- okName/description (track furniture, schedule maintenance, manage warranties) lines up with the included bash script and SKILL.md which implement a local CLI that logs entries and exports data. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okSKILL.md instructs use of the local 'furniture' CLI and documents commands; the runtime instructions and script operate only on local files under $HOME/.local/share/furniture and standard UNIX utilities (grep, tail, du). The instructions do not request reading unrelated system files or sending data externally.
- Install Mechanism
- okThere is no install spec (instruction-only), which minimizes install-time risk. A single bash script is included; it does not attempt to download or execute remote code in the visible portion. No package manager installs or remote downloads are present.
- Credentials
- okThe skill requires no credentials or special environment variables. It uses HOME implicitly to build a local data directory, which is appropriate for a desktop CLI storing local data.
- Persistence & Privilege
- okalways is false and model invocation is normal. The skill only creates/updates files in ~/.local/share/furniture and a history log; it does not modify other skills or system-wide configuration.