Skillv0.1.0

ClawScan security

Declutter Coach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 7, 2026, 2:33 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, runtime instructions, and requirements match its simple decluttering purpose; it doesn't request credentials, perform network I/O, or install extra software. The main issues are a minor logic bug in keyword detection and lack of provenance metadata.
Guidance: This skill appears coherent and low-risk: it only generates text-based decluttering plans and asks for no credentials or network access. Two practical notes before installing: (1) The input parsing has a bug — the keyword-detection branch sets the area to '衣物' unconditionally in many cases, so test it with your expected prompts and consider fixing parse_declutter_input if results are incorrect. (2) The SKILL.md suggests taking photos as a human workflow tip, but the skill does not capture or upload images — do not expect image handling. Also note the skill's source/homepage is unknown; while the code is simple and safe, prefer skills with clear provenance if that matters to you.

Purpose & Capability: okName/description (declutter advice) align with what the code and SKILL.md do: produce step-by-step plans, category rules, time estimates and donation/resale suggestions. The skill does not request unrelated capabilities, binaries, or credentials.
Instruction Scope: noteSKILL.md stays on-topic (identify area, give rules, plan, channels). The handler implementation is local-only and does not read files, env vars, or perform network calls. SKILL.md suggests taking photos for before/after comparison — the code only advises this but does not capture or upload images, which is consistent (no hidden image exfiltration), but you should be aware photos are recommended by the advice even though the skill will not process them.
Install Mechanism: okNo install specification and only a small Python handler file — no remote downloads, package installs, or archive extraction. Low risk from installation mechanism.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. There is nothing disproportionate requested for its stated functionality.
Persistence & Privilege: okalways is false and the skill does not ask for persistent system presence or modify other skills or system settings. It can be invoked normally by the agent.