ClawHub
Back to skill
v1.0.0

D&D 5e Toolkit

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:54 AM.

Analysis

The skill appears to be a straightforward D&D helper that runs an included Python script and uses the disclosed D&D 5e API, with no evidence of credential access, persistence, or hidden data handling.

GuidanceThis looks safe for normal D&D utility use. Be aware that it runs the included Python script locally and contacts the D&D 5e API for lookup features, but the provided artifacts do not show credential access, persistence, file modification, or hidden data collection.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityInfoConfidenceHighStatusNote
SKILL.md
All commands use the `dnd.py` script.

The skill expects local execution of the bundled Python script. This is code execution, but it is clearly documented and central to the skill's purpose.

User impactUsing the skill runs local Python code for D&D tasks, but the artifacts do not show automatic, hidden, privileged, or destructive execution.
RecommendationUse the skill for its intended commands and review the included script if your environment restricts local code execution.
Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
dnd.py
API_BASE = "https://www.dnd5eapi.co/api"

The code uses a fixed external API endpoint for D&D lookups. This matches the skill description and appears limited to retrieving public SRD data.

User impactLookup terms and API requests may be sent to dnd5eapi.co when using lookup or generator features; no credentials or local private data are shown being sent.
RecommendationAvoid entering private campaign details as lookup terms if you do not want them sent to the external API.