Skillv2.0.1

ClawScan security

Labor Law · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 18, 2026, 10:45 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do what it claims: local, offline bash utilities that provide Chinese labor-law reference text and a simple local data-logging CLI; it does not request credentials or reach out to external endpoints.
Guidance: This skill is largely local and coherent: it bundles a Bash reference (labor.sh) that prints Chinese labor-law notes and a small CLI (script.sh) that stores/searches short text entries under ~/.local/share/labor-law (or LABOR_LAW_DIR). Before installing, review the two scripts if you want to be certain: they create/append plain-text files (data.log, history.log) in your data directory and do not perform network calls or request credentials. Note the minor mismatch between the short description (labor law reference) and SKILL.md which describes a general data-entry tool — that's probably intentional (reference + local notes) but you should confirm you’re comfortable with the tool writing logs to your home directory. If you plan to run the scripts on a shared system, be aware they store logs in plain text and do not sanitize or escape user-provided search/add input (typical for a simple CLI).

Purpose & Capability: noteName and description advertise a labor-law reference tool; included files implement that (scripts/labor.sh) plus a generic local data-entry/logger CLI (scripts/script.sh). The extra data-logging functionality is reasonable but slightly inconsistent with the 'query labor law' description (looks like a combined reference + local note-keeping tool). This mismatch is likely benign but worth noting.
Instruction Scope: okRuntime instructions and scripts operate only on local files under a configurable data directory (default ~/.local/share/labor-law). They read/write local logs and data, accept command arguments, and print legal guidance. They do not reference network endpoints, system-wide credentials, or other unrelated system paths.
Install Mechanism: okNo install spec or remote download; the skill is instruction-only with included bash scripts. Nothing is fetched from external URLs and no archives are extracted.
Credentials: okNo required environment variables, credentials, or config paths. The scripts optionally honor LABOR_LAW_DIR and XDG_DATA_HOME (reasonable for changing the local data directory). No secrets are requested.
Persistence & Privilege: okalways:false (no forced inclusion). The skill writes files only under its own data directory (default ~/.local/share/labor-law) and does not modify other skills or global agent settings.