Back to skill
Skillv1.1.0
ClawScan security
倒计时工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 19, 2026, 11:52 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- This is an internally consistent local countdown/anniversary CLI: it stores events in a local JSON file and the code and instructions align with that purpose, though the package source is unknown and the repo omitted a declared dependency on python3.
- Guidance
- This skill appears to do exactly what it says: a local countdown/anniversary CLI that stores events in ~/.qclaw/workspace/countdown.json. Before installing or running: 1) Ensure you have python3 available (examples use python3) — the registry metadata omits this dependency. 2) Review the included scripts yourself (or run in a sandbox) because the package source and homepage are unknown. 3) Note that event data is stored unencrypted in your home directory; do not save sensitive secrets there. 4) If you enable autonomous invocation for an agent, restrict the agent's filesystem permissions so it cannot read unrelated files. 5) If you need stronger privacy, move the data file to an encrypted location or adjust the script to use encryption/backups.
Review Dimensions
- Purpose & Capability
- noteName/description (Chinese countdown/anniversary tool) match the included script and SKILL.md. The skill requires no external services or credentials and writes only to a local JSON under ~/.qclaw/workspace/countdown.json. Minor inconsistency: SKILL.md and the code assume running via python3, but required binaries in the registry metadata list none.
- Instruction Scope
- okRuntime instructions only tell the agent (or user) to run the included script with standard CLI flags. The SKILL.md and script operate on local data and do not instruct the agent to read unrelated system files, call external endpoints, or exfiltrate data.
- Install Mechanism
- okNo install specification — instruction-only with an included Python script. Nothing is downloaded or written by an external installer; the script is local and executed directly.
- Credentials
- okThe skill requests no environment variables or credentials. All storage is local (~/ .qclaw/workspace/countdown.json). No unnecessary secrets or unrelated env vars are requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does create and update its own local data file but does not modify other skills or system settings. Autonomous invocation is allowed by default but is not a special privilege here.