Cn Math Expression
WarnAudited by ClawScan on May 14, 2026.
Overview
This small calculator has no network or credential access, but it evaluates user-provided expressions with Python eval while claiming math-only safety.
Review before installing. Do not use this skill on untrusted expressions unless the eval-based implementation is replaced with a strict math parser and resource limits.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent evaluates a crafted or untrusted expression, it could trigger unexpected Python execution behavior or resource exhaustion in the local environment.
A user-provided expression is evaluated by Python eval. Removing builtins and providing SAFE_NAMES reduces direct access, but it is still dynamic Python expression execution without a strict arithmetic grammar.
parser.add_argument("--expr", required=True) ... return eval(expr, {"__builtins__": {}}, SAFE_NAMES)Replace eval with an AST-based whitelist or a dedicated math-expression parser, reject attribute and dunder access, and add time and memory limits.
Users may trust the tool with untrusted expressions because the documentation says unsafe operations are not possible.
The documentation strongly assures users that evaluation is safe, while the included code uses Python eval on the supplied expression. That safety claim is overstated for this implementation.
Safe evaluation (no arbitrary code execution) ... No imports, no file access, no system commands.
Document the actual limitations clearly, or change the implementation so the safety claims are backed by a strict parser and sandboxing controls.