Back to skill
Skillv1.0.0
ClawScan security
Loot Reward Celebrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 11:03 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions are consistent with its stated purpose (creating modest, sustainable reward suggestions) and do not request credentials, perform network access, or touch unrelated system resources.
- Guidance
- This skill appears low-risk and implements exactly what it promises: local parsing of your input and returning a markdown 'loot reward' suggestion. If you want extra assurance, run the included tests (tests/test_handler.py) in a sandboxed environment and inspect handler.py yourself; no network calls or credential access are present. If you plan to share or publish this skill widely, consider reviewing any future changes for added I/O or networking before trusting it with sensitive data.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md workflow, and handler.py are consistent: the skill takes a completed-task input and builds a reward/loot-table response. There are no unexpected required binaries, env vars, or external services that would be incoherent with this purpose.
- Instruction Scope
- okSKILL.md instructs the agent to generate reward suggestions and record/display ideas. handler.py implements only local text parsing and output generation. The code reads the bundled SKILL.md for metadata, parses input, and formats a markdown result — no instructions to read unrelated files, system config, or transmit data externally.
- Install Mechanism
- okThere is no install spec (instruction-only runtime) and included code is pure Python with standard-library imports. Nothing in the package downloads or extracts external artifacts or creates non-standard binaries.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The code does not reference environment secrets or external service keys; inputs are parsed from the provided user input only.
- Persistence & Privilege
- okThe skill is not force-installed (always: false) and does not modify other skills or system-wide settings. It can be invoked autonomously per platform defaults, but it does not request elevated persistence or privilege.