Skillv1.0.0

ClawScan security

Abby Watch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 21, 2026, 9:39 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with a simple time/countdown utility and requests no credentials or installs, though it has minor implementation issues and a small mismatch between its usage docs and packaging.
Guidance: This skill appears safe and coherent for a simple clock/countdown: it does not request credentials or network access. Before installing or using it, consider: 1) SKILL.md shows usage as 'abby time' but the package does not provide an 'abby' CLI wrapper or install step — you will need to run the script directly or add an executable wrapper. 2) The countdown implementation contains a bug (it attempts to call .replace() on a timedelta), which will likely crash when the target time is earlier than now; the logic should add one day to the target datetime instead. 3) Timezone is hardcoded as 'Australia/Sydney' in outputs; if you need local/timezone-correct results across environments, update the code to use tz-aware datetimes or accept a timezone option. If you don’t want to run untrusted code, run the script in a sandbox or inspect/modify the source yourself before use.

Purpose & Capability: okName/description, the README, reference file, and the included Python script all describe a simple time display/countdown. Required env vars/binaries/configs are none, which is appropriate for this functionality.
Instruction Scope: noteSKILL.md instructs running an 'abby' CLI (e.g., 'abby time'), but the bundle only contains scripts/time_cli.py with no install spec or wrapper that would make an 'abby' command available. The runtime instructions do not ask for unrelated files, environment variables, or external network access.
Install Mechanism: okThere is no install spec (instruction-only), so nothing will be downloaded or installed by default. A code file is included but not automatically installed — no external URLs, package managers, or extraction steps are present.
Credentials: okThe skill requests no environment variables or credentials. The code hardcodes a timezone label ('Australia/Sydney') but does not attempt to access system timezone configuration or secrets.
Persistence & Privilege: okalways is false and the skill does not request persistent/system-wide changes. It does not modify other skills or agent config.