Skillv1.0.0

ClawScan security

Cron表达式生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousApr 29, 2026, 4:26 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The README/skill description promises Chinese→Cron conversion, GUI and preview, but the included script only validates/describes a 5-field Cron string — the implementation and runtime instructions don't match the stated capabilities.
Guidance: This skill's documentation overpromises: it says it converts Chinese natural language to Cron and provides previews/GUI, but the bundled script only validates/describes a 5-field cron expression and will error if given Chinese text. Before installing or using it: (1) don't expect the Chinese→Cron feature to work — test the script locally with sample inputs; (2) ask the author for the missing implementation or updated SKILL.md; (3) treat it as low-risk code but untrustworthy due to mismatch — run in an isolated environment if you plan to execute it; (4) if you need the promised functionality, prefer a different, well-documented implementation or request unit tests and code that actually parses Chinese descriptions.

Purpose & Capability: concernThe skill description claims Chinese natural-language → Cron conversion, visual preview, and templates. The only code provided is a tiny Python script that expects a 5-field cron expression and returns a simple description or an error. There is no Chinese parsing, no preview logic, and no GUI — the requested capabilities are not implemented.
Instruction Scope: concernSKILL.md instructs users to run examples like `python3 scripts/cron_generator.py "每天早上9点"`, implying the script will convert Chinese text; in reality the script treats its argument as a cron expression and will return an error for such input. The runtime instructions are therefore misleading and grant the agent broad discretion ('convert Chinese text') that the code does not implement.
Install Mechanism: okNo install spec and no external dependencies; the skill is instruction-only with a small local script — low installation risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Nothing disproportionate is requested.
Persistence & Privilege: okalways is false and the skill does not request any elevated or persistent privileges or attempt to modify system/other-skill configuration.