Back to skill
Skillv1.0.0
ClawScan security
Travel Language Barrier Navigator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 3:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a self-contained, descriptive travel-language planning skill whose code and documentation are internally consistent and do not request extra credentials, network access, or elevated privileges.
- Guidance
- This skill appears coherent and low-risk: it runs a local handler that parses your text and returns structured recommendations with no network calls or credential access. Before installing, review whether you trust the skill author, avoid sending highly sensitive personal data in prompts (the skill echoes input in its JSON response), and note the small wording mismatch in SKILL.md ('No code execution' vs. included handler code) — the handler runs locally but performs only harmless parsing and text-generation logic. If you want extra assurance, run the provided tests (tests/test_handler.py) in a safe environment to verify behavior.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, skill.json, and handler.py all align: the skill analyzes user-provided travel text and returns travel-language recommendations. It does not request credentials, binaries, or config paths, which is proportionate to its stated purpose.
- Instruction Scope
- noteSKILL.md explicitly states 'No code execution' and 'No external APIs'; handler.py does execute locally (parsing input and returning JSON) but does not call external processes, network, or read other system files. The wording in SKILL.md could be misread — it means no external/network calls or unsafe operations, not that there is literally no code to run. This minor wording mismatch is non-malicious but worth noting.
- Install Mechanism
- okNo install specification (instruction-only runtime) and no external downloads. Code files are included but there is no installer or external package fetch — low install risk.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The handler does not access environment variables or secrets; required surface area is minimal and appropriate.
- Persistence & Privilege
- okSkill is not always-enabled, does not elevate privileges, and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but there are no additional persistence requests.