Back to skill
Skillv1.0.0
ClawScan security
Academic Figures · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 12:04 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are consistent with a local figure-generation tool and do not request unrelated credentials, network access, or system-wide privileges.
- Guidance
- This skill appears coherent and self-contained: it generates charts locally and auto-detects system CJK fonts. Before installing, ensure you have the expected Python environment (matplotlib, numpy) and run the scripts on sample data in a safe environment. Review the two included scripts (detect_cjk_font.py and gen_figure.py) yourself if you are concerned about behavior, and run them offline if you want to be certain no unexpected network activity occurs. If you rely on a managed agent, confirm that the agent's execution environment has no unusual mounts or network proxies that could expose input/output files.
Review Dimensions
- Purpose & Capability
- okName/description match the delivered artifacts: included Python scripts implement chart generation, CJK font detection, and the described chart types and options. No unrelated binaries or cloud credentials are requested.
- Instruction Scope
- okSKILL.md instructions focus on loading data, detecting CJK fonts, and producing PNG/SVG output. The runtime instructions and the code operate on local files and do not direct data to external endpoints. The scripts do invoke local font discovery (fc-list) and execute the bundled detect_cjk_font.py, which is coherent with the CJK support claim.
- Install Mechanism
- okThere is no install spec and no external downloads; the skill is instruction-only with two included Python scripts. Nothing in the manifest attempts to fetch or execute remote archives.
- Credentials
- okThe skill declares no required environment variables or credentials, and the code only accesses local filesystem paths (font files, input JSON/CSV, and output images). The use of subprocess to run fc-list and the bundled detect script is consistent with font detection and does not require extra secrets.
- Persistence & Privilege
- okThe skill is not force-installed (always=false) and does not attempt to modify other skills or global configuration. It runs as a local script and does not request elevated or persistent platform privileges.