Skillv1.0.1

ClawScan security

myClub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 8:09 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (fetching myclub.fi schedules); it requires local myclub credentials and does not contact unexpected external services, though it stores your password in a local JSON file and can write debug artifacts to disk.
Guidance: This skill appears to be what it claims: a local Python script that logs into myclub.fi and scrapes club schedule pages. Before installing, consider: 1) You will provide your myclub.fi email and password and the script will store them in ~/.myclub-config.json as plain JSON (file mode 0600). If you are uncomfortable storing your primary credentials in a local file, create a dedicated account/password or avoid installing. 2) The script's debug routines can write HTML and cookie dumps to disk during failures; avoid running in debug mode if you want to minimize on-disk artifacts. 3) The project is small and uses only the Python standard library, so review the script locally if you want extra assurance (look for any unexpected network hosts or file writes). 4) Keep the repository/homepage URL and author in mind and only install if you trust the source. If you want extra safety, run the script in an isolated environment (container or VM) and verify network traffic it generates (it should only call id.myclub.fi and *.myclub.fi).

Review Dimensions

Purpose & Capability: okName/description (fetch schedules from myclub.fi) align with the included script and the SKILL.md. The script implements login, discovery, and fetch operations against id.myclub.fi and *.myclub.fi only. No unrelated binaries, env vars, or services are requested.
Instruction Scope: noteSKILL.md instructs the agent to store and use myclub.fi credentials locally and to run the included Python script. The runtime instructions and script stay within the stated scope (authenticate at id.myclub.fi, fetch pages from club subdomains). Note: the script saves credentials in ~/.myclub-config.json (plain JSON, mode 0600) and contains a debug helper that can write HTML and cookies to disk (e.g., /tmp/myclub-login.html and -cookies.json) when debug/error paths are taken.
Install Mechanism: okNo install spec; this is instruction-only and ships a single Python script relying only on the standard library. No remote downloads, package installs, or archive extraction are present.
Credentials: noteThe skill requests no environment variables or third-party credentials beyond your myclub.fi username/password. Storing the password locally is necessary for the claimed functionality but is a sensitive action: credentials are stored as plain JSON in the user's home directory (file permissions set to 0600).
Persistence & Privilege: okThe skill does not request 'always: true' or elevated platform privileges, does not modify other skills or global agent settings, and only writes to its own config file in the user's home directory. Autonomous invocation remains enabled (default) but is not paired with broad or unrelated access.