Back to skill
Skillv1.0.0
ClawScan security
Time Convert · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 1:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only timezone/epoch conversion skill that simply posts JSON to an external time API; the declared requirements and instructions are coherent with its stated purpose.
- Guidance
- This skill is instruction-only and appears to do what it says: send time-related requests to https://time.agentutil.net and return the results. Before installing, consider that (1) queries go to an external service so any data you send (dates/times/identifiers) and your IP will be visible to that service, (2) the SKILL.md mentions a paid crypto-based tier — verify how payments and any wallet credentials would be handled before providing them, and (3) confirm the reputation/privacy policy of time.agentutil.net if you plan to send anything sensitive. If you only need basic timezone/epoch conversions for non-sensitive data, the skill is low-risk.
Review Dimensions
- Purpose & Capability
- okThe name/description match the concrete HTTP endpoints and example requests in SKILL.md (now/convert/math/epoch). There are no unrelated binaries, credentials, or config paths requested.
- Instruction Scope
- okSKILL.md only shows example curl POSTs to https://time.agentutil.net and a response schema. It does not instruct reading local files, environment variables, or other system state. Note: using the skill will send whatever times/strings a user supplies to the external service (and the service will see the caller IP).
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes on-disk execution risk; the only runtime activity is network requests initiated by the agent.
- Credentials
- noteThe skill requires no environment variables or credentials for the free tier (as declared). The SKILL.md mentions a paid tier using an on-chain 'x402' USDC protocol but does not declare any wallet/credential requirements — if payments are later integrated, the skill should explicitly declare what credentials or keys it needs. For the current free usage, no secrets are requested.
- Persistence & Privilege
- okalways:false and no special privileges requested. disable-model-invocation is false (agent may call it autonomously), which is standard; this only means the agent could make outbound requests to the external API during operation.