Back to skill
Skillv1.0.0
ClawScan security
The skill for chess player · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 8:14 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (fetching public Chess.com player stats) and do not request secrets, unrelated binaries, or external endpoints beyond the Chess.com public API.
- Guidance
- This skill appears coherent and low-risk: it validates the username and only queries the public Chess.com API. Before installing, confirm you trust the skill source (the repository/homepage is unknown). If you will run untrusted code, consider executing it in a limited environment (container or sandbox). Note: the script's User-Agent contains a placeholder contact (you@example.com) — harmless but you may prefer to update it if you publish or reuse the script. Overall, no secrets or unrelated system access are requested.
Review Dimensions
- Purpose & Capability
- okName/description state: fetch Chess.com stats via public API. The included Python script and SKILL.md both only perform a GET to api.chess.com for a validated username and format the response. No unrelated capabilities or credentials are requested.
- Instruction Scope
- okSKILL.md restricts behavior to validating a username and running the local script. The script only reads command-line input, performs an HTTP GET to the Chess.com API, and prints results. It does not read arbitrary files, environment variables, or send data to endpoints other than api.chess.com.
- Install Mechanism
- okNo install spec is provided (instruction-only with a small local Python script). Nothing is downloaded or extracted during install, and no external packages are pulled at runtime beyond the standard Python library used in the script.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not access secrets or config. It only issues unauthenticated requests to the Chess.com public API, which is appropriate for the stated purpose.
- Persistence & Privilege
- okThe skill does not request persistent/always-installed presence, does not modify other skills or system-wide settings, and does not store credentials. Autonomous invocation is allowed by platform default but is not coupled with elevated privileges here.