Back to skill
Skillv1.0.1
ClawScan security
Skill Health · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 10:39 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The package and runtime instructions match the stated purpose: local analysis of wearable CSV/JSON exports into compact JSON reports; no disproportionate credentials, network endpoints, or installers were observed in the reviewed files.
- Guidance
- This skill appears coherent and focused: it reads local wearable exports and emits JSON reports. Before installing or running it: (1) run in an isolated environment (virtualenv/container) and install Python 3.10+ and pandas; (2) review the remaining omitted files (12 files were not shown in the prompt) if you want maximum assurance; (3) treat output and inputs as sensitive health data—do not upload them to external services unless intended; (4) if you do not want the agent to invoke skills autonomously, adjust the agent/skill invocation settings. Running the scripts on a small sample dataset in a sandbox is a good first test.
Review Dimensions
- Purpose & Capability
- okName/description (analyze wearable CSV exports and produce JSON reports) align with the included Python modules and scripts (hourly/daily/weekly/monthly/sleep analyses, loaders, and reporting). The SKILL.md dependency note (Python 3.10+ and pandas) matches the code's use of pandas and datetime. No unexpected cloud or unrelated service credentials are requested.
- Instruction Scope
- okSKILL.md instructs running local Python scripts with --data-path/--data-dir and --timezone; the scripts and analysis modules operate on local data (CSV/ZIP/directories) and produce JSON to stdout or --output-dir. In the provided source snippets the code only reads local files (data and previous JSON outputs) and does not access environment variables, system configuration, or external network endpoints.
- Install Mechanism
- noteNo install specification is present (scripts are run directly). This is low-risk but requires the host to provide Python 3.10+ and pandas. The package includes many source files but nothing that downloads or extracts remote archives was observed. Users should install dependencies in a virtualenv or sandbox.
- Credentials
- okThe skill declares no required env vars, credentials, or config paths. The code snippets do not read os.environ or other secrets. Requested access (local CSV/ZIP health exports) is proportional to the stated analysis purpose.
- Persistence & Privilege
- okalways:false and default autonomous invocation are set (platform default). The skill does not request to persist configuration or alter other skills. No indication of attempts to modify system-wide settings or other skills' configs in the reviewed files.