Skillv1.0.1

ClawScan security

Locate your position on modern Windows · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 5:26 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The instructions and requirements match the stated purpose: an instruction-only PowerShell script that uses the WinRT Geolocator to return device coordinates and does not request unrelated credentials or installs.
Guidance: This skill is internally consistent with its description: it provides a full PowerShell script that uses Windows' native WinRT Geolocator and requests no credentials. Before running, inspect the script (it's included) and only run it on machines where you trust the source because it requires running powershell.exe with -ExecutionPolicy Bypass. Be aware that the output is the device's precise location — treat it as sensitive data and avoid sending it to external services unless you trust them. If you want to reduce risk, run the script locally rather than allowing autonomous agent invocation, and avoid pasting results into third-party reverse-geocoding APIs unless necessary.

Review Dimensions

Purpose & Capability: okName/description claim WinRT-based Windows geolocation; the SKILL.md contains a PowerShell 5.1 script that loads System.Runtime.WindowsRuntime and instantiates Windows.Devices.Geolocation. No unrelated environment variables, binaries, or network credentials are requested — this is proportional to the stated capability.
Instruction Scope: okThe runtime instructions are narrowly scoped to creating and running a PowerShell script that calls GetGeopositionAsync, converts the async result to a Task, and emits JSON. The script does not read other files, request unrelated system data, or transmit results to remote endpoints. Note: it instructs the user to run powershell.exe with -ExecutionPolicy Bypass, which is a common mechanism to run unsigned scripts but increases the risk if the script source is untrusted; the SKILL.md itself contains the full script for review.
Install Mechanism: okNo install spec and no code files beyond SKILL.md (instruction-only). Nothing is downloaded or written to disk by an installer step. This is the lowest-risk install profile.
Credentials: okNo environment variables, credentials, or config paths are required. The only sensitive output is device location (coordinates), which is expected for a geolocation utility. The documentation's reverse-geocoding example would send coordinates to a third-party service (external data exfiltration risk if you do that), but that example is optional and clearly labeled.
Persistence & Privilege: okThe skill does not request persistent presence (always:false) and does not modify other skill or system configurations. The platform default allowing autonomous invocation remains in effect, but this skill does not request elevated privileges or persistent tokens.