Skillv1.0.2

ClawScan security

易经起卦 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 11:47 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are internally consistent with an I Ching divination tool: it runs a local Python script to generate hexagrams, reads local references, and then performs normal web lookups for cross-checking; it does not request credentials or unusual privileges.
Guidance: This skill appears coherent for its stated purpose, but consider the following before installing or using it: (1) it expects a Python runtime (SKILL.md calls 'python3') even though no binary dependency is listed — ensure python3 is available in the execution environment; (2) the agent will run the included scripts locally (review scripts/qi_gua.py yourself if you want to inspect behavior or audit output); (3) the skill instructs the agent to perform online searches and include source links, so your question text will be sent to whoever the agent's browsing/search tool contacts — avoid submitting sensitive personal data in divination queries if you care about privacy; (4) the SKILL.md requires returning the script's full raw output (which includes timestamps and generated seed information), so be aware that those details will be shown; (5) no credentials or installs are requested, which lowers risk. If you want extra caution: (a) run the script locally yourself first to confirm output and behavior, (b) verify python availability, and (c) restrict or review the agent's web-access permissions if you don't want queries sent externally.

Review Dimensions

Purpose & Capability: noteThe skill name/description (I Ching divination) aligns with the included files and runtime instructions: it invokes a local hexagram generator (scripts/qi_gua.py), reads the local 64‑gua reference, and asks the agent to perform web searches for verification. Minor mismatch: SKILL.md tells the agent to run 'python3 ./scripts/qi_gua.py' but the skill metadata declares no required binaries — so the script assumes a Python runtime is available even though no binary dependency is listed.
Instruction Scope: okSKILL.md stays within the stated purpose: it requires (1) showing pre-divination guidance to the user, (2) calling the local qi_gua.py to produce a hexagram, (3) consulting local references, and (4) performing online searches after obtaining the hexagram name to cross-check interpretations. It explicitly requires returning the full raw script output and including source links for any online material. Nothing in the instructions directs reading unrelated system files, environment variables, or sending data to unexpected endpoints.
Install Mechanism: okNo install spec is present — the skill is instruction-only with one included Python script and local reference files. No remote downloads, package installs, or archive extraction are specified. The agent will execute the included script locally (so code on disk will run), but there is no installation mechanism that pulls arbitrary external code.
Credentials: okThe skill declares no required environment variables, credentials, or config paths, and none of the provided files attempt to access secrets. The script and docs use only local data (question, timestamp, references) and standard libraries; web lookups are performed by the agent as ordinary browsing/search operations. No disproportionate credential access is requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent or elevated privileges. It does not modify other skills' configs. Autonomous invocation is allowed (default) but that is the platform norm; nothing in the package gives this skill unusual system presence.