Skillv1.0.0

ClawScan security

随机选择器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:58 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description claims weighted selection and cryptographically secure randomness, but the included script does not implement weights or use the secrets module and the usage examples/handler are inconsistent with the script's arguments — functionally it is low-risk but internally inconsistent.
Guidance: This skill is low-risk from a network/credential perspective (no external calls or secrets requested), but it is internally inconsistent and buggy. The description promises weighted draws and a cryptographically secure ‘fairness’ mode using the secrets module, but the included script uses random (not cryptographically secure), does not implement weights, and will fail if you pass the example flag syntax (--count). If you plan to use it for casual, low-stakes choices it's probably fine after fixing the usage to pass a numeric second positional arg. If you need weighted draws or cryptographic fairness (e.g., for real-money or high-stakes lotteries), do not use this as-is — either ask the author to (1) implement weights (random.choices with weights or a custom weighted pick) and (2) use secrets.SystemRandom or the secrets module for secure randomness, and (3) correct the CLI to match documented flags. Consider reviewing or testing the script locally before installing or relying on it.

Review Dimensions

Purpose & Capability: concernThe SKILL.md advertises weight support, a 'fairness' mode using the secrets module, and de-duplication/various modes. The shipped script only performs simple comma/newline splitting and uses random.sample/random.shuffle for selection. It does not implement weighted selection, does not import or use the secrets module, and does not provide named flags for --count or weight syntax described in examples. These capabilities claimed in the description are not present in the code.
Instruction Scope: concernSKILL.md handler and examples instruct calling the script with e.g. --count 2 and weight syntax like '一等奖:1,二等奖:3', but the script expects positional args (items, optional integer count) and will attempt int('--count') if passed the flag form — that will fail. The handler line 'python3 scripts/random_picker.py "<选项列表>"' matches the basic positional usage, but example usage and described modes are inconsistent with the actual implementation.
Install Mechanism: okInstruction-only with a small included Python script; no install spec, no external downloads or packages. Uses only the Python standard library in the provided code.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths — consistent with a small local utility.
Persistence & Privilege: okDefaults (not always, model invocation allowed, user-invocable) are normal and appropriate. The skill does not request persistent presence or modify other skill/system configs.