Back to skill
Skillv1.0.0
ClawScan security
Travel Volunteer Ethics Evaluator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 21, 2026, 3:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code, documentation, and runtime behavior are consistent: it performs only local text analysis and returns descriptive recommendations without external network calls or credential requirements.
- Guidance
- This skill appears coherent and low-risk: it only does simple local text parsing and returns JSON recommendations, with no network calls or credential access. If you plan to install it, review handler.py (it's short and readable) to confirm you are comfortable running the included code. Be aware that if you let an agent invoke skills autonomously, the agent can call this skill without prompting, but the skill itself does not exfiltrate data or contact external services. If you handle sensitive input, avoid sending secrets (passwords, API keys) to any skill even if it appears benign.
Review Dimensions
- Purpose & Capability
- okName/description (volunteer tourism ethics evaluator) align with the provided handler logic and SKILL.md. The skill requires no binaries, env vars, or external services and the handler implements local, text-based analysis and canned frameworks that fit the stated purpose.
- Instruction Scope
- noteSKILL.md repeatedly emphasizes 'No code execution' and 'No external APIs'; the package does include a handler.py (intended runtime code). This is not malicious: the handler only performs local processing and emits JSON. The wording in SKILL.md could be clearer (it likely means 'no external/network code execution').
- Install Mechanism
- okThere is no install specification (instruction-only style). No downloadable archives or external package installs are declared, so nothing extra is written to disk beyond the included files.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths, and the code does not access any environment variables or secrets. Requested privileges are proportional to the described functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or elevated presence. It does not modify other skills or system configuration and has no special privileges.