Skillv1.0.0

ClawScan security

Argentina Fiscal Calendar (ARCA) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 18, 2026, 4:09 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (an offline Argentine fiscal calendar): it requires no credentials or external services and only asks to store simple config and logs in a local workspace, though it does persist some PII-like data (CUIT termination) and schedules proactive alerts.
Guidance: This skill appears to do what it says: an offline Argentine fiscal calendar that stores a small local workspace and issues weekly alerts. Before installing, consider: (1) It will create ~/centriqs/fiscal/ and ask you to fill config.md with your CUIT termination and regime—this is needed for correct dates but is personally identifiable; (2) historial.md may record confirmed payments—avoid storing full sensitive numbers there if you want privacy; (3) proactive weekly alerts are part of its behavior—if you prefer not to receive autonomous alerts, disable or edit the alert configuration after install; (4) the skill is instruction-only and requests no credentials, but the source is 'unknown' in the registry metadata—if you care about provenance, verify the author (centriqs.io / the GitHub repo referenced in README) before installing; (5) as a best practice, review the created files and set restrictive file permissions (chmod 600) if they will contain PII, and rely on the official ARCA site for legally binding dates.

Review Dimensions

Purpose & Capability: okName/description match the declared behavior: an offline fiscal calendar for ARCA/AFIP. The skill requests no binaries, no env vars, and does not claim to call external APIs—this is proportional for a knowledge-based calendar.
Instruction Scope: noteSKILL.md instructs the agent to ask for CUIT termination when needed, compute date shifts for weekends/holidays, and produce weekly proactive alerts. It also instructs creation of a local workspace and logging of confirmed payments. There are no instructions to read unrelated system files or exfiltrate data, but the spec is explicit about persisting user-provided data (config.md, historial.md) and about autonomous weekly alerts (heartbeat), which you should be aware of.
Install Mechanism: okInstruction-only skill (no install spec, no code files). README suggests optional install via clawhub or git clone from a public repo; neither involves opaque downloads or extraction. No installer behavior that would write unexpected binaries to the system is present.
Credentials: okNo environment variables or credentials are requested. The only stored configuration is the CUIT termination (last digits), regime and alert preferences—information relevant to providing correct calendar/alerts but mildly sensitive (partial PII).
Persistence & Privilege: notealways:false (not forced). The skill declares it will create ~/centriqs/fiscal/ with config, alert preferences, and an optional payment-history log. This persistent local storage is proportional to the feature set but means the agent will keep local records (including partial CUIT and confirmed payment entries) and may send proactive alerts via the agent.