Back to skill
Skillv0.1.0
ClawScan security
Lay Summary Gen · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 9:44 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its description: a small local Python script that converts medical abstracts into simpler language with no network calls or secret access required.
- Guidance
- This skill appears to do what it says: a small local Python tool for simplifying medical abstracts. It's coherent and low-risk: there are no network calls or secret requirements. Before installing or using it with real patient data, review and test outputs for clinical accuracy (this is not medical advice), and avoid feeding sensitive identifiable patient information into any third-party service. Note the SKILL.md mentions file read/write and sandboxing but the current script only reads an input string and prints JSON—if you or your environment modifies the skill to accept file inputs, re-review for path traversal and data-handling safeguards.
Review Dimensions
- Purpose & Capability
- okThe name/description (lay summaries for non-experts) align with the included Python implementation: jargon mapping, sentence simplification, key-takeaway extraction, and a reading-level estimate. There are no unrelated credentials, binaries, or services requested.
- Instruction Scope
- noteThe SKILL.md and script instruct local execution of a Python script and expect input abstracts. The SKILL.md's risk checklist mentions file reads/writes and sandboxing, but the provided script only reads an input string (argv) and prints JSON—it does not perform filesystem or network I/O. This is a minor documentation vs. implementation mismatch (not a functional threat), but users should note the skill will execute local Python code.
- Install Mechanism
- okNo install spec is provided (instruction-only + small script bundled). No packages or external downloads are required. This is low-risk from installation perspective.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The skill does not require elevated environment access and the code does not read environment variables.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent system presence or modify other skills or system settings. It runs locally when invoked.