Back to skill
Skillv1.0.0
ClawScan security
Study Buddy · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 4:36 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested resources are consistent with a local CLI study-tracking tool that stores data under ~/.study-buddy and does not request external credentials or network access.
- Guidance
- This skill appears coherent and local-only, but you should: (1) review scripts/study-buddy.py yourself (or run it in a sandbox) before executing, since it will create and modify files under ~/.study-buddy; (2) back up any important data before first run; (3) be cautious about future updates or the planned Feishu/multi-device sync features — those could add network/credential requirements, so re-check permissions and env vars if the skill is updated; and (4) consider running it in a constrained environment if you don't trust the unknown publisher.
Review Dimensions
- Purpose & Capability
- okName/description (personalized study plans, tracking, feedback) match the included files and CLI: SKILL.md, README, commands, and a Python script implementing start/plan/today/checkin/progress/report/wrong/feedback/data. No unrelated resources (cloud creds, other platform tokens, system config paths) are requested.
- Instruction Scope
- okSKILL.md instructions are limited to creating a local profile, generating plans, logging progress, and managing a wrong-question notebook. The instructions and the Python script reference only local files under ~/.study-buddy and standard CLI interaction — they do not instruct reading arbitrary system files, contacting external endpoints, or collecting unrelated secrets.
- Install Mechanism
- okThere is no install spec; this is effectively an instruction-only skill plus an included Python script. It requires only Python (no install steps download/execute remote code). No archive downloads, no package registry installs, no extract-from-URL actions.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The code uses the user's home directory (~/.study-buddy) for local data storage, which is proportionate to a local CLI study tracker.
- Persistence & Privilege
- okSkill is not marked always:true and does not modify other skills or global agent settings. Its persistence is limited to creating and updating files under ~/.study-buddy, which is appropriate for storing user profiles, plans, logs, and wrong-question data.