Skillv2.0.0

ClawScan security

Intern Report · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 17, 2026, 6:56 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (generate internship reports and related templates); it requires no credentials and has no network/installer, but it includes an undocumented helper script that creates a local data directory and log files which you should be aware of before installing.
Guidance: This skill is internally coherent and doesn't request secrets or network access. Before installing or running: (1) inspect scripts/intern.sh fully (the listing was truncated here) to confirm there are no unexpected network calls or sensitive-file reads; (2) be aware scripts/script.sh will create and write files to $INTERN_REPORT_DIR or $HOME/.local/share/intern-report (history.log, data.log) — if you prefer no on-disk artifacts, run in a sandbox or set INTERN_REPORT_DIR to a disposable location; (3) run the scripts in a controlled environment (sandbox/container) first if you have low trust in the source; (4) if you only need template generation, you can use scripts/intern.sh directly and ignore script.sh.

Review Dimensions

Purpose & Capability: okThe name/description (intern report generator) matches the provided code: scripts produce daily/weekly/summary/reflection/defense templates. Included helper functions (Python templates in scripts/intern.sh and text in tips.md) are consistent with the stated purpose.
Instruction Scope: noteSKILL.md instructs running scripts/intern.sh for generation tasks. There is an additional scripts/script.sh (a 'data processing and analysis toolkit') that is not documented in SKILL.md; it exposes commands to import/export/query/clean data. The main templating script does not appear to access secrets or remote endpoints, but the presence of an undocumented helper that operates on a local data store is a scope deviation worth noting.
Install Mechanism: okNo install spec, no external downloads, and no packages are pulled in. This is an instruction-only skill with included local scripts — low install risk.
Credentials: okThe skill requires no environment variables or credentials. scripts/script.sh respects standard XDG_DATA_HOME/INTERN_REPORT_DIR and defaults to $HOME/.local/share/intern-report. This is reasonable for a local data/logging helper.
Persistence & Privilege: noteThe helper script will create a local data directory and append to history.log and data.log under $DATA_DIR (defaults to $HOME/.local/share/intern-report). The skill does not request elevated privileges nor set always:true, but it does persist files to the user's home directory (not documented in SKILL.md).