Skillv1.0.13

ClawScan security

Recipe Find Free Time · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 31, 2026, 6:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it is an instruction-only recipe that delegates calendar access to an existing gws CLI / gws-calendar skill and does not request unrelated privileges or files.
Guidance: This recipe calls the local 'gws' CLI and expects the companion gws-calendar skill to handle authentication. Before installing/using: (1) confirm the gws binary and gws-calendar skill come from sources you trust, (2) ensure those tools are authenticated with a Google account that has only the minimum calendar scopes needed, and (3) be aware the recipe can create calendar events—double-check attendees/time before creating events to avoid unintended invitations.

Purpose & Capability: okName/description match the actual instructions: the SKILL.md runs gws calendar freebusy queries and inserts events. Declaring the gws binary and the gws-calendar skill is appropriate for Calendar access.
Instruction Scope: okInstructions are narrowly scoped to querying free/busy and creating an event via the gws CLI. They do not instruct reading unrelated files, environment variables, or exfiltrating data to external endpoints.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself—low install risk.
Credentials: noteThe skill does not request environment variables or credentials itself. Calendar access will depend on the gws binary and gws-calendar skill being configured with Google credentials outside this skill; that design is reasonable but you should verify that gws/gws-calendar are already authenticated and use least-privilege scopes.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request elevated or persistent platform privileges.