Back to skill
Skillv1.0.1
ClawScan security
Chinese Daily Assistant · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 27, 2026, 1:21 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required resources are consistent with a simple local Chinese daily assistant—no unexplained credential requests or network installs are present.
- Guidance
- This skill appears internally consistent and implements all features locally using bundled data. Before installing: (1) confirm you trust the unknown author/source (no homepage provided); (2) inspect scripts/main.js yourself (it’s short and readable) or run the included test.js in a sandboxed environment; (3) if future updates promise real-time API integration, verify what API endpoints and credentials will be required before granting them. If you want extra caution, run the skill inside an isolated container or VM so future network-enabled versions can’t exfiltrate data without your review.
Review Dimensions
- Purpose & Capability
- noteName/description (weather, exchange, festivals, tips, translation) match the included files and local JS implementation. Minor wording inconsistency: SKILL.md and README sometimes refer to using public APIs (中国气象局/中国人民银行) while the shipped code uses local simulated/static data—this appears to be a planned future integration rather than a present requirement.
- Instruction Scope
- okSKILL.md and other docs only instruct typical usage (commands, examples) and do not request reading unrelated files, accessing secrets, or sending data to external endpoints. The runtime instructions are limited to local operations and calling the provided scripts.
- Install Mechanism
- okNo install spec is provided (instruction-only + code bundle). There are no downloads, no external package installs, and package.json has no dependencies. Nothing in the manifest indicates code will be fetched from arbitrary URLs or executed during install.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no config paths. The code does not read process.env or request credentials—so requested privileges are proportionate to its purpose.
- Persistence & Privilege
- okalways is false and autonomous invocation is allowed (platform default). The skill does not request persistent system-wide changes or modify other skills. No elevated privileges are requested.