Back to skill
Skillv3.0.0
ClawScan security
Meditation Guide · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 12:11 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and storage needs are consistent with a local meditation/track-and-timer utility and do not request unrelated credentials or network access.
- Guidance
- This skill appears to be what it says: local meditation tools and a simple session log in ~/.local/share/meditation-guide/sessions.jsonl. Before installing, you may want to: (1) inspect the two included scripts (scripts/script.sh and scripts/meditate.sh) to confirm you want both present — the Python script is not referenced by SKILL.md; (2) be aware the skill will create/append sessions.jsonl in your home; (3) if you prefer, run the scripts in a sandbox or check their behavior by running them manually to verify outputs. The scripts show some minor bugs (e.g., echo strings using single quotes preventing variable expansion) but nothing indicates malicious intent.
Review Dimensions
- Purpose & Capability
- okName/description match the behavior in the provided scripts: breathing guides, timers, guides, journaling prompts, and simple session tracking. No unrelated credentials, binaries, or config paths are required.
- Instruction Scope
- noteSKILL.md invokes scripts/script.sh and documents the data directory (~/.local/share/meditation-guide). The scripts only read/write a sessions.jsonl in that directory and print guidance; they do not access external networks or other system credentials. Note: there is an extra script (scripts/meditate.sh) that implements similar functionality in Python but is not referenced by SKILL.md — this duplication is likely benign but unusual.
- Install Mechanism
- okNo install specification; this is an instruction-only skill with bundled scripts. Nothing is downloaded or written during installation beyond the scripts already in the bundle.
- Credentials
- okThe skill requests no environment variables or credentials. It uses $HOME for a local data directory, which is proportionate to session tracking.
- Persistence & Privilege
- okThe skill is not force-enabled (always: false) and does not modify other skills or global agent configuration. It persistently writes session entries to its own directory, which is expected for a tracker.