Skillv1.0.0

ClawScan security

Tax Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 1:05 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it implements local tax-calculation functions, its instructions match the code, it requests no credentials or installs, and it does not perform networking or file exfiltration.
Guidance: This skill appears to do only local tax calculations and is coherent with its description. Before installing, consider: (1) validate formulas and outputs against a few known examples or official guidance, since tax rules change and edge cases matter; (2) confirm you trust any referenced skills (china-tax-law, xlsx) if you plan to use them for up-to-date rates or exports; (3) avoid pasting sensitive taxpayer-identifying data into public/shared agents — although this skill has no network calls, the agent environment or other enabled skills might handle data in ways you should review; and (4) for material or legally binding tax decisions, verify results with a tax professional or the tax authority.

Purpose & Capability: okName/description (中国税务计算工具) match the provided assets: SKILL.md documents tax formulas and the package includes a Python script that implements VAT, CIT, IIT, land appreciation tax and stamp duty calculations. There are no unrelated environment variables, binaries, or external service credentials requested.
Instruction Scope: okSKILL.md instructs the agent to run scripts/tax_calc.py or compute using the formulas in the doc. The instructions stay within the stated purpose. They reference other skills (china-tax-law for rates and xlsx for Excel export) — these are plausible integrations but are optional and not required for core calculation logic.
Install Mechanism: okNo install spec is present (instruction-only plus an included script). The code file is included in the bundle and there are no downloads or external installers, which is low risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The code contains only local numeric computations and printed output; it does not attempt to read credentials or access external resources.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent system changes. Model invocation is enabled (platform default) — this is normal and not by itself a sign of excess privilege.