Back to skill
Skillv2.0.0
ClawScan security
Leave Doc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:56 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions are consistent with a simple leave-application generator: no network calls, no secret access, and nothing that clearly exceeds the described purpose.
- Guidance
- This skill appears coherent and implemented locally: it generates leave templates and optionally stores simple logs under ~/.local/share/leave-doc (or a path you set via LEAVE_DOC_DIR). Recommended precautions before installing or running: (1) inspect the scripts yourself (they are short and readable); (2) if you don't want local logs, set LEAVE_DOC_DIR to a directory you control or remove/ignore scripts/script.sh; (3) run in a sandbox if you are unsure. There are no network calls or credential requests in the code, so the risk surface is limited to local file writes.
Review Dimensions
- Purpose & Capability
- okThe name/description (leave application generation, multi-day calculation, annual-plan, emergency templates) match the provided files. scripts/doc.sh implements leave, multi-day, emergency and annual-plan features; scripts/script.sh is a small local utility for storing/listing data which is plausible for a helper tool.
- Instruction Scope
- okSKILL.md instructs running scripts/doc.sh and the script only uses local date/time logic and prints templates. The scripts do not read system config files, reach out to external endpoints, or attempt to access credentials. They do create and write to a local data directory (default: $XDG_DATA_HOME or $HOME/.local/share/leave-doc).
- Install Mechanism
- okThere is no install specification (instruction-only skill plus local scripts). No downloads, package installs, or external installers are included.
- Credentials
- okThe skill declares no required environment variables or credentials. The scripts optionally honor LEAVE_DOC_DIR and XDG_DATA_HOME/HOME for where to store data, which is reasonable for a local utility and does not require secrets.
- Persistence & Privilege
- notealways is false and the skill does not request elevated privileges. scripts/script.sh will create a per-user data directory and log files under $LEAVE_DOC_DIR or the default ~/.local/share/leave-doc; this is expected behavior but users should be aware that the skill stores data locally.