Skillv1.0.0

ClawScan security

work-estimation-zh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 4:02 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are internally consistent with a work‑estimation/Excel‑generation tool: it produces offline Excel reports and does not request credentials or reach out to external endpoints.
Guidance: This skill appears to be what it says: an estimator + Excel generator. Before installing/using it: 1) ensure the runtime has Python and the openpyxl package (the script imports openpyxl but dependencies aren't declared); 2) do not upload documents that contain secrets, credentials, or sensitive PII — the skill expects requirement texts or document contents which the agent may process; 3) note scripts/test_login.py contains a hard‑coded Windows sys.path sample (C:/Users/Administrator/…) used only for local testing — harmless but non‑portable; 4) if you plan to run the included Python scripts locally, run them in an isolated environment (virtualenv) to avoid dependency conflicts. Overall, there are no signs of credential exfiltration or hidden network endpoints in the packaged files.

Review Dimensions

Purpose & Capability: okName/description (software work estimation and Excel report generation) match the included files: SKILL.md describes collecting requirements and producing an Excel report, and scripts/generate_estimation.py implements multi‑sheet Excel generation. There are no unexpected credentials, binaries, or unrelated packages requested.
Instruction Scope: noteSKILL.md describes asking the user for requirement text or a document path and using AI to split/estimate. The repository provides the Excel generation logic but does not include code to parse arbitrary uploaded files or call external services; the AI/model is expected to do the splitting. This is reasonable, but be aware the skill's instructions imply the agent may request/ingest user documents — avoid uploading sensitive documents (API keys, passwords, PII) to the skill/agent unless you trust the platform's data handling.
Install Mechanism: noteThere is no install spec (instruction-only skill with bundled utility scripts). The script imports openpyxl (and other standard libs) but the skill metadata does not declare Python package dependencies. You should ensure required Python packages (openpyxl) are available in the runtime. No remote download URLs or installers are present.
Credentials: okThe skill does not require environment variables, credentials, or config paths. The code does not access secrets or external services. This is proportionate to its stated purpose.
Persistence & Privilege: okSkill flags: always=false and it does not request system-wide config changes. It does not attempt to persist credentials or modify other skills. Autonomous invocation is allowed by default but is not combined with broad privileges here.