Back to skill
Skillv2.0.1
ClawScan security
Pickup Lines · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, runtime instructions, and requested resources are consistent with a small local CLI tool for storing and managing pickup lines; it does not request credentials or perform network activity.
- Guidance
- This skill is coherent and appears to do only what it says: a small local bash tool that stores and searches text lines under ~/.local/share/pickup-lines (or a directory you set). It does not request credentials or access the network. Before installing, note: (1) the tool will create and write data.log and history.log in that directory — don't store secrets there, and back up if you care about the content; (2) the 'remove' command in the script only echoes a removal message and does not actually delete entries (a bug/limitation); (3) minor metadata/version mismatches exist but are non-malicious. If you want extra caution, review the script yourself or run it in a dedicated user account/container to isolate its files.
Review Dimensions
- Purpose & Capability
- noteThe name/description (Pickup Lines / Love Lines) and the script both implement a small local text-store CLI — all required pieces (no creds, no network) match that purpose. Minor inconsistencies: SKILL.md header uses 'Love Lines' while registry name is 'Pickup Lines', and SKILL.md/version (2.0.0) differs from registry version (2.0.1). These are quality issues, not security problems.
- Instruction Scope
- okSKILL.md and the included script confine actions to the data directory (~/.local/share/pickup-lines or PICKUP_LINES_DIR/XDG_DATA_HOME). Commands read/write local plain-text files (data.log, history.log). There are no instructions to read unrelated system files, network endpoints, or external env vars.
- Install Mechanism
- okNo install spec; the skill is instruction-only with a small Bash script. Nothing is downloaded or written outside the declared data directory by the script.
- Credentials
- okNo required environment variables or credentials. The script uses common environment variables (PICKUP_LINES_DIR, XDG_DATA_HOME, HOME) to locate its data directory — this is proportionate to the stated purpose.
- Persistence & Privilege
- noteSkill does not request always:true and has no special privileges. It can be invoked autonomously (platform default) which will allow the agent to run the script and read/write the local data files — expected for a CLI-style skill. If you allow autonomous agent actions, be aware it can modify the local pickup-lines data dir.