D&D 5e Toolkit
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a straightforward D&D helper that runs an included Python script and uses the disclosed D&D 5e API, with no evidence of credential access, persistence, or hidden data handling.
This looks safe for normal D&D utility use. Be aware that it runs the included Python script locally and contacts the D&D 5e API for lookup features, but the provided artifacts do not show credential access, persistence, file modification, or hidden data collection.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill runs local Python code for D&D tasks, but the artifacts do not show automatic, hidden, privileged, or destructive execution.
The skill expects local execution of the bundled Python script. This is code execution, but it is clearly documented and central to the skill's purpose.
All commands use the `dnd.py` script.
Use the skill for its intended commands and review the included script if your environment restricts local code execution.
Lookup terms and API requests may be sent to dnd5eapi.co when using lookup or generator features; no credentials or local private data are shown being sent.
The code uses a fixed external API endpoint for D&D lookups. This matches the skill description and appears limited to retrieving public SRD data.
API_BASE = "https://www.dnd5eapi.co/api"
Avoid entering private campaign details as lookup terms if you do not want them sent to the external API.