Back to skill
Skillv2.0.0
ClawScan security
Loan Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (a local loan calculator); it does not request network access or secrets, but it will create local files and relies on common Unix tools (not all declared).
- Guidance
- This skill appears coherent and implements the described loan-calculator functionality locally. Before installing or running: 1) Be aware it will create a data directory (by default ~/.local/share/loan-calculator) containing data.log and history.log that may include anything you pass to the tool; avoid entering sensitive PII or credentials into commands. 2) The scripts use the 'bc' utility (and common Unix tools like grep, date); ensure those binaries exist where you intend to run it. 3) If you want to control where data is stored, set LOAN_CALCULATOR_DIR to a safe location. 4) No network calls or secret-requiring env vars are present, but you can still review the scripts in the repository yourself if you want to audit behavior before running. Overall the package is consistent with its description.
Review Dimensions
- Purpose & Capability
- noteThe scripts implement loan calculations, comparison, prepayment, affordability and schedule features that align with the description. They also include a small utility (scripts/script.sh) for persisting simple entries and history which is reasonable for user data (notes/entries) but is not mentioned in SKILL.md. The implementation writes files to a local data directory by default and uses the 'bc' calculator binary, which is not declared in the metadata.
- Instruction Scope
- noteSKILL.md only instructs running the tool (help/run) and provides examples for calculator commands. The runtime scripts do not access remote endpoints or unrelated system credentials, but they will read common env vars (LOAN_CALCULATOR_DIR, XDG_DATA_HOME, HOME) and create/write local files (data.log, history.log). The documentation does not explicitly call out local file creation.
- Install Mechanism
- okThere is no install spec (instruction-only), so nothing is downloaded or installed by an automated installer. The risk surface is limited to the included shell scripts that would be executed by the agent or user.
- Credentials
- okThe skill declares no required environment variables or credentials. At runtime the scripts consult LOAN_CALCULATOR_DIR/XDG_DATA_HOME/HOME to locate the data directory; these are common non-sensitive environment variables and their use is proportionate to persisting user data.
- Persistence & Privilege
- notealways:false (no forced inclusion). The skill writes persistent files in $LOAN_CALCULATOR_DIR or ${XDG_DATA_HOME:-$HOME/.local/share}/loan-calculator (data.log, history.log). This is normal for a tool that saves entries, but users should be aware of local disk writes and that inputs may be stored in plaintext.