Skillv1.0.0

ClawScan security

时间戳转换器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:58 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill claims many features (date→timestamp, natural-language relative times, batch processing, timezone parsing, accepting "now") but the included script only converts integer Unix timestamps to readable UTC/local strings — the README/handler are inconsistent with the code.
Guidance: This package is lightweight and not malicious, but its documentation overpromises. If you need only simple timestamp→date conversion, this script works (e.g., python3 scripts/timestamp_converter.py 1745800000). Do NOT expect date-string parsing, relative-language parsing, batch mode, accepting the literal string "now", or converting dates→timestamps — those features are missing. Before installing or relying on it, either (a) test it locally with sample inputs you need, (b) request the author to fix the SKILL.md or extend the script, or (c) inspect/modify scripts/timestamp_converter.py to add desired parsing (for example, add explicit handling for 'now', date parsing, or use a parsing library).

Review Dimensions

Purpose & Capability: concernThe name/description promise bidirectional conversions, auto-detection of seconds/milliseconds, multi-timezone parsing, date→timestamp conversion, natural-language relative times, and batch handling. The only shipped code (scripts/timestamp_converter.py) solely accepts integer timestamps (or defaults to current time when no argument is provided) and returns UTC/local formatted strings. Requests for date-string parsing, natural language, timezone selection, batch input, and accepting the literal string "now" are not implemented.
Instruction Scope: concernSKILL.md and the handler instruct calling the script with a timestamp or date (and explicitly suggest using "now"). The script will error if given a non-integer string like "now" or a human date (it attempts int(ts)). The documented examples (date→timestamp, relative times) are not supported by the code, so following the instructions will produce errors or misleading results.
Install Mechanism: okNo install spec; instruction-only plus a small Python script included in the package. No external downloads, package managers, or archive extraction are used — low install risk.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. That aligns with a small local Python utility and is proportionate.
Persistence & Privilege: okalways is false, normal user-invocable/autonomous invocation defaults apply. The skill does not request elevated privileges or modify other skills or system configuration.