Back to skill
Skillv1.0.1
ClawScan security
Aether Tarot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 8, 2026, 5:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a low-risk, self-contained tarot reading skill that requests no credentials, makes no external calls, and contains only minimal prompt/entrypoint code — it appears coherent with its stated purpose though its implementation is minimal.
- Guidance
- This skill appears low-risk: it asks for no secrets, makes no network calls, and only contains a tiny entrypoint that prompts the user. Before installing, note that the packaged code does not implement card drawing or interpretations — the LLM will likely generate readings on demand. If you expect deterministic draws, logged histories, or a locally stored deck, ask the author for an implementation that includes the deck data and sampling logic. Also consider that the source and homepage are unknown; if provenance matters to you, prefer skills with identifiable authors or a public repo. Otherwise this skill is coherent and safe to try.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the files: a tarot reading skill that operates via prompts. However, the included JS and prompt file only provide a welcome/ready response and do not implement random card selection, card data structures, or interpretation logic described in SKILL.md. That inconsistency suggests the skill relies on the LLM runtime to generate readings rather than local code.
- Instruction Scope
- okSKILL.md stays within the tarot-reading scope and does not instruct the agent to read unrelated files, access environment variables, or send data to external endpoints.
- Install Mechanism
- okNo install spec and no downloads — instruction-only plus a tiny entrypoint script. Nothing is written to disk beyond the packaged files.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths — proportional to its stated purpose.
- Persistence & Privilege
- okNo always:true flag and no modifications of other skills or system configuration. Autonomous invocation is allowed (platform default) but not combined with other risky privileges.