Back to skill
Skillv1.0.0
ClawScan security
Andorra · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 4:21 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only travel guide that stores trip memory under ~/andorra/ and otherwise makes no external requests or credential demands — the requested footprint matches its stated purpose.
- Guidance
- This skill is an instruction-only travel guide that keeps trip preferences and memory in ~/andorra/ and otherwise asks for nothing (no API keys, no binaries, no network access). Before installing: (1) confirm you’re comfortable having trip notes stored in ~/andorra/ (it may contain personal itinerary details); (2) review the shipped markdown files if you want to verify content and tone; (3) note the source is listed as unknown/third-party — if provenance matters, consider verifying the author or preferring skills from authors you trust. If you ever want to remove the skill’s data, delete the ~/andorra/ folder. Overall the package is internally consistent and low-risk.
Review Dimensions
- Purpose & Capability
- okName/description (Andorra trip planning) aligns with requested artifacts: a local config path ~/andorra/ for trip memory and many text reference files. No unrelated credentials, binaries, or network access are requested.
- Instruction Scope
- okSKILL.md and the included content files are purely documentation and runtime instructions (read setup.md, use files, save memory in ~/andorra/). There are no instructions to read other system files, access other credentials, or send data externally.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest-risk pattern (nothing is downloaded or executed on install).
- Credentials
- okNo environment variables, binaries, or external credentials are required. The single requested resource (a config path in the user's home) is reasonable for storing trip memory.
- Persistence & Privilege
- noteSkill stores memory under ~/andorra/ (declared). It does not request always:true or other elevated privileges. Note that any saved trip memory will reside in the user's home directory — users should be comfortable with that storage location and content.