Back to skill
Skillv1.0.1
ClawScan security
Cat Food Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 24, 2026, 2:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and files are consistent with its stated purpose (validating and summarizing cat-feeding backups); it requests no credentials, makes no network calls, and has no install actions.
- Guidance
- This skill appears internally consistent and limited to local data processing. Before using it: (1) ensure you have Node.js to run the scripts; (2) only run the scripts on backups you trust or are willing to expose to local code execution; (3) review the included .mjs files if you want to double-check behavior—they are short and readable and contain no network or credential usage; (4) note the agent can invoke the skill autonomously by default—if you want stricter control, disable autonomous invocation in your agent settings before installing.
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts and reference docs: validation, daily summaries, CSV export, and related calculations are implemented in the bundled .mjs files and referenced docs.
- Instruction Scope
- okSKILL.md instructs running the included Node scripts against local backup files or stdin. The runtime instructions only touch backup JSON, local reference docs, and produce summaries; there are no instructions to read unrelated system files, access environment variables, or send data to external endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only installation). The package includes plain JavaScript scripts to run with Node.js; there are no downloads, external installers, or archive extraction steps.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The scripts accept local file input or stdin only, which is proportionate to the declared functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skills/config. It is user-invocable and may be invoked autonomously by the agent (default), which is normal for skills and not flagged here.