Skillv1.0.0

ClawScan security

Diankeyuan Contacts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 2, 2026, 4:15 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its stated purpose (local contact management) and there are no requests for unrelated credentials, network access, or risky install steps — however the data file path is hardcoded to a specific user account which you should notice and optionally change.
Guidance: This skill is a local contact manager that reads/writes a JSON file and does not reach out to the network or request secrets. Before installing or using it: 1) Inspect/confirm or change the DATA_FILE path in manager.py (currently /Users/aibin/...) so it points to a directory you control; 2) be aware the skill will store contact data locally in that JSON file — avoid putting sensitive personal data there unless you trust and secure the file (permissions/backups); 3) run the Python script in a safe environment (review the code if you want extra assurance); 4) if you expect the skill to be multi-user or run under a different account, modify the hardcoded path to a configurable location (e.g., use relative path or environment variable).

Purpose & Capability: noteName/description (管理电科院联系人) align with the provided code and SKILL.md: both implement add/query/update/delete of local contacts. One mismatch: the data file path is hardcoded to /Users/aibin/.openclaw/workspace/diankeyuan_contacts.json, which assumes a specific username/environment rather than a generic, configurable location.
Instruction Scope: okSKILL.md documents commands and states data is stored in the JSON file; the included manager.py only reads/writes that JSON file and prints results. The instructions do not ask the agent to read other system files, environment variables, or send data to remote endpoints.
Install Mechanism: okNo install spec or remote downloads are present. This is an instruction-only skill supplemented by a local Python script; nothing is written to disk by an installer beyond the included code file.
Credentials: noteThe skill requests no environment variables or external credentials, which is proportionate. Note that the script uses a fixed filesystem path under /Users/aibin; this is not a secret but is environment-specific and may be undesirable if you run under a different user or want data elsewhere.
Persistence & Privilege: okalways is false and the skill does not request elevated privileges or modify other skills/configs. It does persist data to a local JSON file (its own data), which is expected behavior for a contact manager.