Skillv1.0.0

ClawScan security

Xianyu Team Optimizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 15, 2026, 3:36 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (parsing a player list and computing 5-person team groupings); it requires no external credentials, network access, or installs and appears self-contained.
Guidance: This skill appears internally consistent and self-contained: it parses a pasted player list and runs a local Python script to compute grouping plans. Before using: (1) review the parsed player list the agent shows and confirm accuracy (the parser may misread messy lines); (2) be aware any names you paste may contain personal identifiers — avoid pasting sensitive info; (3) the script runs locally (requires Python 3); if you cannot or do not want to execute code, ask the agent to run the described manual algorithm instead; (4) because the code is bundled, you can inspect scripts/optimizer.py yourself — it appears to do combinatorial math only and contains no network calls or credential access. If you want extra assurance, you can run the script in a sandbox or review the full file before execution.

Review Dimensions

Purpose & Capability: okName/description (咸鱼之王十殿星级组队优化器) match the actual files and behavior: SKILL.md describes parsing pasted group lists and using the included Python script to compute grouping plans and upgrade suggestions. The only included code (scripts/optimizer.py) implements the described combinatorial search, greedy fallback, alternative generation and upgrade-hint logic. No unrelated capabilities (cloud access, external services) are requested.
Instruction Scope: okSKILL.md instructs the agent to extract player names and star counts from pasted chat-style lists, confirm parsed results with the user, then run the local Python script or fall back to a manual algorithm if Python isn't available. The instructions reference only the user-supplied text and the script in the skill directory; they do not ask the agent to read system files, environment variables, or post data to external endpoints. One practical caution: the agent will parse whatever text the user pastes (which may contain personal identifiers), so the user should avoid pasting sensitive data publicly.
Install Mechanism: okNo install spec is provided; the skill is instruction + a local Python script. This is low-risk: nothing is downloaded or written during install. The script is executed locally with the user's Python interpreter.
Credentials: okThe skill requests no environment variables, credentials, or config paths. That is proportionate to its stated functionality (local computation of groupings).
Persistence & Privilege: okThe skill is not always-enabled and uses the platform-default autonomous invocation setting. It does not request persistent system privileges or attempt to modify other skills or system-wide configuration.