Back to skill
Skillv1.0.12
ClawScan security
Recipe Block Focus Time · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 6:35 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are coherent with its stated purpose (creating recurring Google Calendar focus blocks) and do not ask for unrelated credentials or risky installs.
- Guidance
- This recipe is coherent and lightweight: it simply runs the gws CLI to insert a recurring calendar event and then lists the agenda. Before installing or running it, confirm you have the official gws CLI and the gws-calendar helper installed and authenticated, review the gws CLI's OAuth scopes (so it only has calendar access you expect), and update the command to use the correct dates/timezone instead of the hard-coded example. If you are uncomfortable granting the gws CLI calendar access to this agent, do not enable it or run the commands manually from a trusted environment.
Review Dimensions
- Purpose & Capability
- okName/description match the actions in SKILL.md: it calls the gws CLI and depends on a gws-calendar skill to insert calendar events. Requiring the gws binary and the gws-calendar helper is proportionate to the stated goal.
- Instruction Scope
- noteInstructions are concise and limited to creating and verifying a recurring calendar event via the gws CLI. They do not reference unrelated files, env vars, or external endpoints. Note: the recipe assumes an authenticated gws CLI and uses a hard-coded example date/time; the user/agent should parameterize dates and ensure gws is authorized before running.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill itself.
- Credentials
- noteThe skill declares no environment variables or credentials. However, it implicitly relies on the user's existing gws CLI authentication (OAuth/token/state stored by gws). Ensure that the gws CLI's credentials/scopes are appropriate, since the skill will operate using whatever access the gws binary already has.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide changes or modify other skills. Normal autonomous invocation is allowed but not excessive here.