Skillv1.0.0

ClawScan security

一个万无一失的EPUB繁简转换技能，可以将繁体中文电子书转换为简体中文，或反向转换。 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 4:11 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are coherent with its stated purpose (EPUB Traditional↔Simplified conversion); it auto-creates a local virtualenv and installs standard PyPI packages, which is expected behavior for this utility.
Guidance: This skill appears to do what it says: it converts EPUB text and metadata between Traditional and Simplified Chinese. Before running: (1) be aware it will create a virtual environment at ~/.openclaw/epub_venv and pip-install packages from PyPI (network access required); (2) if you prefer to review or control installs, manually create/activate a venv and pip install ebooklib and opencc-python-reimplemented before running; (3) back up originals (recommended), and avoid attempting to convert DRM-protected files; (4) you can inspect scripts/convert_epub.py and run test_skill.sh to verify behavior locally. If you need stricter supply-chain guarantees, verify package versions or install from pinned wheels/sources.

Review Dimensions

Purpose & Capability: okName/description match the included files and behavior: scripts/convert_epub.py parses EPUBs, converts text and metadata using OpenCC and ebooklib, and writes a new EPUB. No unrelated credentials, binaries, or services are requested.
Instruction Scope: okSKILL.md instructs the agent/user to run the included script and documents what is and isn't converted. Runtime instructions (create venv, install ebooklib and opencc-python-reimplemented, parse/convert EPUB files, fix TOC) are narrowly scoped to the conversion task and do not request unrelated files, credentials, or external endpoints.
Install Mechanism: noteThere is no separate install spec; the script auto-creates a virtualenv at ~/.openclaw/epub_venv and runs pip install to fetch dependencies from PyPI at first run. This is expected for a Python utility but does perform network downloads and writes to the user's home directory. The subprocess calls are invoked safely (list form) and install common packages (ebooklib, opencc-python-reimplemented).
Credentials: okThe skill requests no environment variables, credentials, or config paths beyond creating/using ~/.openclaw/epub_venv. That filesystem access is proportional to the stated behavior (local venv and caches).
Persistence & Privilege: noteThe script creates persistent files (virtualenv) under ~/.openclaw which is reasonable for convenience. always:true is not set, and the skill does not modify other skills or global agent configuration. Users should be aware of the venv left on disk.