Back to skill
Skillv1.0.0
ClawScan security
Plant Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent for a local plant-tracking utility: it stores data in a user-scoped JSON file, has no network calls or secret requirements, and its export/path checks match the described behavior.
- Guidance
- This skill appears coherent and local-only: it will create and update ~/.openclaw/workspace/plants_db.json and can write export files under your home, workspace, or /tmp. Before installing or running, consider: (1) verify the source or inspect scripts/plant_tracker.py if you don’t trust the publisher, (2) ensure the script is run in an environment you control (it will write files to your home), (3) if you want it on your PATH, you must put the script there or call it via python3 scripts/plant_tracker.py, and (4) check file permissions for the database if you’re concerned about other local users reading it. There are no network calls or hidden credential requests in the provided code.
Review Dimensions
- Purpose & Capability
- okName/description (plant tracking) matches the included script and SKILL.md. The script stores data in ~/.openclaw/workspace/plants_db.json and provides add/list/show/care/search/export commands—these are proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md instructs running the plant_tracker.py commands and documents storage/export behavior. Instructions do not ask the agent to read unrelated files, environment variables, or send data to external endpoints. Export path validation is described and implemented in code.
- Install Mechanism
- okNo install spec is provided (instruction-only). A Python script is included but nothing is downloaded or extracted during install. Risk from installation is low; executing the bundled script will write to disk as expected.
- Credentials
- okThe skill requests no environment variables or credentials. Data is kept under the user's home directory; no remote credentials or unrelated secrets are required.
- Persistence & Privilege
- okThe skill does not request always:true and can be invoked by the user. It writes only to its own database path (~/.openclaw/workspace/plants_db.json) and export files in user-safe locations; it does not modify other skills or system-wide configs.