Skillv1.0.0

ClawScan security

Boss Fight Stamina Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 12:03 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with its stated purpose: it parses the included SKILL.md and returns descriptive stamina-management guidance without accessing external systems or secrets.
Guidance: This skill appears to be a safe, local text-guidance tool: it reads its own SKILL.md and user-provided context and returns a formatted plan. It does not access credentials, devices, or external networks. Consider: (1) don't treat this as medical advice—seek professionals for alarming health symptoms (the SKILL.md already says this); (2) if you plan to give it sensitive health data, remember it will include that text in its output — avoid sharing extremely sensitive personal identifiers; (3) the skill can be invoked autonomously by the agent (platform default), so if you enable autonomous runs, be aware the agent might call this skill without an explicit manual trigger (this is a platform behavior, not something the skill itself requests).

Purpose & Capability: okName, description, and requested resources align: the skill is text-only guidance for stamina management and declares no binaries, env vars, or device integrations. The handler simply reads SKILL.md and formats guidance, which is proportionate to the stated purpose.
Instruction Scope: okSKILL.md contains only advisory instructions and inputs to collect; the runtime handler only reads the local SKILL.md and user input and produces a formatted descriptive card. There are no instructions to read unrelated files, access system state, or transmit data externally.
Install Mechanism: okNo install spec is provided (instruction-only + a local handler), so nothing is downloaded or installed. The repository includes handler.py and tests but no remote install steps or external package downloads.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Handler.py does not reference environment variables or secrets; required inputs are user-provided context strings, which is appropriate for a guidance skill.
Persistence & Privilege: okThe skill is not marked always:true and does not modify other skills or system configuration. Default autonomous invocation is allowed by platform policy (disable-model-invocation:false) but this is a platform default and the skill itself performs only local formatting of text.