Skillv1.0.3

ClawScan security

D4 World Boss Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 11, 2026, 9:28 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it fetches a public webpage to parse Diablo 4 world boss times and formats output; it does not request credentials or perform unexpected actions.
Guidance: This skill is small and does what it says: it uses curl (via the script) to fetch a public page (map.caimogu.cc) and prints boss times. Before installing, confirm you trust the external site (map.caimogu.cc) because the script displays data from it. Ensure python3 and curl are available on the agent runtime (they are assumed but not declared). If you agree to set timed reminders, be aware that creating cron jobs requires system access/permission — the skill does not create cron entries itself, so any reminder setup will be an explicit, separate action you or the agent must perform.

Review Dimensions

Purpose & Capability: noteThe skill's code and instructions match the stated purpose (fetching and displaying world boss times from https://map.caimogu.cc/d4.html). Minor inconsistency: the registry metadata lists no required binaries, but the SKILL.md and script assume python3 is available and the script calls curl via subprocess. Those runtime requirements are reasonable for this purpose but should be declared.
Instruction Scope: okSKILL.md directs the agent to run the included Python script from the skill directory. The script only downloads the specified webpage, parses a JSON-like object, and prints formatted messages. Instructions mention offering to set a cron reminder, but the code does not itself modify cron or other system files.
Install Mechanism: okThere is no install spec (instruction-only plus a small included script). No downloads or external installers are executed during installation, so nothing is written to disk beyond the skill files already present.
Credentials: okThe skill requests no environment variables or credentials. The script uses network access to fetch a public web page, which is appropriate for the stated purpose. No secrets or unrelated service tokens are requested.
Persistence & Privilege: noteThe skill is not always-enabled and does not autonomously persist configuration. It suggests using cron for reminders but does not programmatically modify cron itself; if the user or agent were to set up reminders, that would require additional system permissions outside the skill's current code.