Back to skill
Skillv1.0.0
ClawScan security
OpenCC · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 10:46 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and declared dependency (opencc) match its stated purpose of Chinese Simplified/Traditional and regional conversion and do not request credentials or perform suspicious operations.
- Guidance
- This skill appears coherent and purely focused on Chinese character conversion, but before installing you should: 1) Verify which opencc package you'll install (pip package name and maintainer) and pin a known-good version — malicious or typo-squatted PyPI packages are possible. 2) Confirm the opencc package you install provides the expected JSON mode files (s2t.json, s2tw.json, etc.) or supply them from a trusted OpenCC release. 3) If you require production or high-assurance use, audit the installed opencc package (check for native code, post-install hooks, and network behavior) and run the included tests (pytest test_convert.py). 4) No secrets or network endpoints are present in the skill itself, but keep general supply-chain caution for third-party dependencies.
Review Dimensions
- Purpose & Capability
- okName/description, README, SKILL.md, pyproject.toml, scripts/convert.py, and tests all align: the skill wraps the OpenCC conversion library and exposes CLI and Python usage. There are no unrelated environment variables, binaries, or credentials requested.
- Instruction Scope
- noteRuntime instructions and the CLI script only read input text (positional argument, stdin, or an input file), perform conversion via opencc.OpenCC(...).convert(...), and write output to stdout or a file. They do not access external endpoints, secrets, or unrelated system files. Note: the skill expects OpenCC JSON mode files (e.g., s2t.json) to be available via the opencc package at runtime — the repo does not include those JSON files itself, so correct behavior depends on the installed opencc package providing them.
- Install Mechanism
- noteNo registry install spec is provided in the skill metadata, but SKILL.md/README suggest installing via 'uv add opencc' or 'pip install opencc' and pyproject.toml declares dependency 'opencc>=1.2.0'. Installing a PyPI package is expected for this functionality. This is a normal install pattern, but the runtime depends on the authenticity and contents of the opencc package (which may include native components).
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. All code operates on supplied text/files and uses the opencc library only — there is no disproportionate secret access or credential request.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills or global agent settings, and is user-invocable. It does not persist credentials or enable itself automatically in a privileged way.