Back to skill
Skillv1.0.0
ClawScan security
Hex编码解码工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 2:57 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its description: a small local Python tool for hex encode/decode with no network access or extra credentials requested.
- Guidance
- This skill is small and self-contained: it runs a local Python script to encode/decode hex and prints JSON results. It does not access the network or request credentials. Before installing, consider: (1) do not pass sensitive secrets you don't want processed or logged by the agent; (2) the script decodes using UTF-8 and returns null on non-decodable input — binary data may not round-trip; (3) if you need different encodings or behavior, review/modify the simple Python file. Overall the package appears consistent and low-risk.
Review Dimensions
- Purpose & Capability
- okName/description (hex encode/decode) align with the provided script and SKILL.md. No unrelated binaries, env vars, or resources are requested.
- Instruction Scope
- okSKILL.md directs the agent to call the included script with simple arguments. Instructions do not ask the agent to read unrelated files, environment variables, or transmit data externally.
- Install Mechanism
- okNo install spec — instruction-only plus a small script. No downloads, no package installs; risk is minimal.
- Credentials
- okNo environment variables, credentials, or config paths are required. The script operates locally on provided input only.
- Persistence & Privilege
- okSkill does not request always:true, does not modify other skills or system settings. Autonomous invocation is allowed (default) but is not combined with other risks.