Skillv1.0.6

ClawScan security

summer Solstice countdown · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 12:35 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are coherent with a simple browser-based summer countdown/sunrise widget — no credentials, no installs, and no unexpected access — though the SKILL.md contains small implementation inconsistencies and some timezone/coordinate details to double-check.
Guidance: This skill appears to be what it claims: a small client-side HTML widget that fetches public API data (USNO and sunrise-sunset) and displays a live countdown/clock. Things to check before using: (1) the SKILL.md example mixes a hard-coded solstice date with a note saying the date should be fetched — prefer fetching the official solstice time at runtime; (2) verify and unify the Beijing coordinates used; (3) implement robust timezone handling by parsing ISO UTC times and converting to UTC+8 rather than adding fixed hours blindly; (4) the widget will make public HTTP requests from users' browsers, which reveals the requester's IP and User-Agent to those APIs — if that matters, host the page server-side or proxy requests; and (5) confirm the APIs allow cross-origin requests from your deployment environment (CORS). No credentials or installs are required.

Purpose & Capability: okName/description match the instructions: building an HTML widget that fetches solstice and sunrise data and displays a live clock. The required resources (public HTTP APIs) are consistent with this purpose; no unrelated credentials, binaries, or paths are requested.
Instruction Scope: noteInstructions stay inside the expected scope (fetch public APIs, render an HTML dashboard, tick every second). Minor inconsistencies exist in the examples: the doc says the solstice time is fetched from aa.usno.navy.mil but the code snippet hard-codes SUMMER; there are slightly different Beijing coordinates used in two places (39.9075/116.3972 vs 39.9042/116.4074). Timezone handling is called out (add 8 hours) but implementers should carefully parse ISO UTC strings rather than naively adding hours to avoid DST/date-edge bugs. These are functional issues, not security problems.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk installation footprint. The runtime behavior is client-side HTTP requests from the rendered page.
Credentials: okNo environment variables, credentials, or config paths are requested. The public APIs used do not require secrets, so requested access is proportional.
Persistence & Privilege: okalways is false and there's no request to modify agent/system configuration or other skills. The skill does not request permanent privileges.