Skillv1.0.0

ClawScan security

Sensory Awareness Enhancer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 19, 2026, 2:04 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are coherent with a descriptive mindfulness tool and do not request unexplained credentials, network access, or privileged persistence.
Guidance: This skill appears internally consistent and low-risk: it contains only local text-processing code and no network, credential, or privileged behavior. Consider the following before installing: (1) provenance — the source/homepage is missing and readiness is marked 'development', so prefer using it in non-critical contexts until provenance is confirmed; (2) review handler.py yourself (or ask someone to) if you require stronger assurance — the code is small and readable; (3) it is explicitly not a substitute for professional medical or trauma therapy — avoid using it as clinical treatment; (4) if you need production quality or auditability, request a published homepage, license, and author contact before deploying widely.

Review Dimensions

Purpose & Capability: okThe name and description (sensory/mindfulness practices) align with the included code and SKILL.md. The handler produces structured JSON recommendations and uses only local string parsing and heuristics relevant to tailoring sensory-awareness guidance. The skill does not request unrelated credentials, binaries, or external services.
Instruction Scope: noteSKILL.md stays on-topic (assessment, channel training, body scan, integration) and explicitly disclaims medical/legal advice and session persistence. The included handler implements only local text analysis and generation. Minor oddities: ACCEPTANCE.md lists 'No code execution' as a non-functional criterion while the package contains a runnable handler.py (this is not a security problem here but is an inconsistency in documentation vs. included code).
Install Mechanism: okThere is no install spec and no downloads or third-party packages. All code is contained in the bundle and there are no network calls or external installers, which is low risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The handler accesses only its input string and standard lib modules; no secrets or system state are requested or used.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent system privileges or modify other skill configurations. SKILL.md claims it does not store personal data between sessions and the code contains no persistence or external transmission.