Skillv1.0.0

ClawScan security

Than Cuu Numerology Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 3:10 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requirements and instructions are consistent with a numerology analysis tool, but it persistently stores analyses (including names and birthdates) in the agent's knowledge folder — a privacy consideration the user should review before installing.
Guidance: This skill appears to do what it claims (a numerology analyzer) and does not ask for unrelated credentials or downloads. However, it will automatically save analysis results (full names and dates of birth) into knowledge/md/ThanCuu/TuongQuan/ and add entries to knowledge/INDEX.md. Before installing, consider: - Are you comfortable with these analyses (PII) being stored persistently on the agent's host? - Avoid supplying full ID numbers or other unnecessary sensitive identifiers; provide only the minimum (name and DOB) if possible. - If you want to keep results private, plan to regularly inspect and delete the files in knowledge/md/ThanCuu/TuongQuan/ and the INDEX, or modify the skill to disable autosave. - Ensure the agent runs on a trusted device and that file-system access is acceptable for your privacy policy. If you want, I can suggest a modified SKILL.md that asks for explicit consent before saving or that stores only an anonymized record instead of full PII.

Purpose & Capability: okName and description (Thần Cửu numerology by full name and DOB) match the runtime instructions and provided reference material. The skill requests only the personal data needed for the stated analysis and does not ask for unrelated credentials, binaries, or external services.
Instruction Scope: noteInstructions are specific to computing the eight numerology categories and reference internal markdown files. However, the SKILL.md instructs the agent to automatically save the full analysis (including full names and birthdates) to knowledge/md/ThanCuu/TuongQuan/ and update knowledge/INDEX.md — persistent storage of PII is explicit and should be considered by the user.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files to execute or download. That minimizes execution and supply-chain risk.
Credentials: okThe skill requires no environment variables, credentials, or access to config paths beyond writing into the agent's knowledge directory as described. No disproportionate secrets or unrelated service tokens are requested.
Persistence & Privilege: noteThe skill writes analysis results (including PII) into the agent's knowledge directory and updates an INDEX file. It does not request always:true or elevated system privileges, but the automatic, persistent storage of identifiable personal data is a privacy risk the user should accept explicitly or change.