Skillv1.0.1

ClawScan security

English Tutor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 26, 2026, 8:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (an on-agent English tutor) is coherent and asks for no secrets or installs, but the shipped code and metadata contain inconsistencies and sloppy/duplicated code that could cause unexpected behavior — review before installing.
Guidance: This skill appears to do what it claims (an in-agent English tutor) and does not request credentials or external installs, but the included index.js is malformed: it mixes CommonJS and ESM exports, duplicates onboarding logic, and contains what looks like a truncated function — this can cause crashes or unexpected behavior. Before installing: (1) ask the author for a clean, single-module index.js (pick either module.exports or export default) and a short changelog/homepage; (2) verify the manifest version matches the registry version; (3) request tests or run the skill in a sandboxed agent to confirm it behaves as expected; (4) be aware the skill stores onboarding answers in agent memory (et.*) so avoid entering sensitive personal data. If you can't get a corrected code file or origin info, consider treating it as untrusted or suspicious.

Purpose & Capability: okName, description, manifest activation commands, and the code all implement an on-agent English tutor that stores onboarding choices in agent memory. No unrelated binaries, env vars, or network endpoints are requested.
Instruction Scope: noteSKILL.md and manifest are scoped to onboarding and scheduled quizzes. The code only reads/writes agent memory (et.* keys) and user input; it does not access files, environment variables, or external networks. However, index.js contains duplicated/conflicting exports (CommonJS module.exports and an ES module export default with overlapping logic) and a truncated first function — this is inconsistent and likely to cause runtime errors or unexpected behavior.
Install Mechanism: okNo install spec is provided (instruction-only plus a code file). Nothing is downloaded or written by an installer, so there is no external install risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the runtime code does not reference any secrets or external service tokens.
Persistence & Privilege: okalways is false and the skill only persists user preferences into the agent's memory under its own keys (et.*), which is appropriate for a tutor. It does not request broader privileges or modify other skills' configs.