Skillv1.0.0

ClawScan security

Energy Peak Finder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 1:08 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its description: it analyzes user-provided text to identify energy windows, asks for no credentials, and performs no network or privileged actions.
Guidance: This skill appears low-risk and does what its description promises: it analyzes text notes to suggest energy windows and a one-week experiment. Before installing or using it, consider: (1) It uses simple keyword heuristics — results are heuristic, not clinical; validate suggestions yourself. (2) Verify where the skill runs in your environment (local vs remote agent) because any user text you submit could be logged or transmitted by the hosting agent/platform — the skill itself contains no network calls. (3) Don't submit sensitive health or identifying information in observations you don't want stored or transmitted. (4) If you have concerns, review handler.py and run the included tests locally to confirm behavior.

Purpose & Capability: okName/description (finding energy peaks from observation notes) matches the code and SKILL.md. The code only parses text, scores time blocks, reports disruptors, and produces a one-week experiment. There are no unrelated env vars, binaries, or surprising capabilities.
Instruction Scope: okSKILL.md instructs the agent to analyze user-provided observations; handler.py implements that workflow. The runtime only reads the bundled SKILL.md file and the provided input text; it does not access calendars, wearables, external APIs, or other system paths.
Install Mechanism: okNo install specification or external downloads. This is effectively an instruction-only skill with small local Python code and tests, so nothing is pulled from the network or written to the system outside the skill package.
Credentials: okThe skill declares no required environment variables, credentials, or config paths and the code does not read environment secrets. All operations are local string processing; requested privileges are minimal and proportionate.
Persistence & Privilege: okalways is false and the skill does not modify other skills or system-wide settings. It performs no persistent installs or daemonization.