Back to skill
Skillv1.0.1
ClawScan security
Traditional Chinese Dictionary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 6:18 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, requirements, and runtime instructions are consistent with its stated purpose (downloading and querying MOE Traditional Chinese dictionaries) and do not ask for unrelated credentials or unusual privileges.
- Guidance
- This skill appears coherent and uses reasonable safeguards (TLS, zip-slip checks, isolated storage). Before installing: 1) Inspect the full script files in the package (the provided excerpts are truncated in places) to confirm there are no hidden endpoints or unexpected behavior. 2) Run in a Python virtual environment and install dependencies with pip. 3) If you enable automatic updates (cron), choose a conservative interval and monitor downloaded files. 4) Verify the MOE URLs are the official domain (language.moe.gov.tw) and, if you want extra assurance, compare the bundled code to the upstream GitHub repo referenced in the README. 5) Because the package source in the registry is 'unknown' (no homepage), if you require higher assurance, ask the publisher for provenance or use the code only after manual review.
Review Dimensions
- Purpose & Capability
- okName/description match what the package does: downloading, extracting, versioning, and querying MOE dictionary .xlsx files. Required packages (pandas, openpyxl) and the three scripts align with this purpose. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md and scripts confine activity to downloading from MOE, validating and extracting zip files into a user-controlled directory (~/.openclaw/dictionaries), indexing xlsx content and responding to lookups. Instructions mention optional cron updates (expected for update checks). There are no instructions to read unrelated system files, access other credentials, or transmit data to endpoints outside the MOE domain.
- Install Mechanism
- okNo install spec is provided (instruction-only skill with bundled Python scripts). Dependency installation uses pip (optionally 'uv pip'), installing only pandas and openpyxl from PyPI — proportionate for parsing Excel files. Nothing is downloaded from unknown/personal servers during install.
- Credentials
- okThe skill requires no environment variables, no credentials, and stores data in a user-writable path by default. It does not request unrelated secrets or system-wide config. The only external network access is to MOE (language.moe.gov.tw), which matches the stated function.
- Persistence & Privilege
- okThe skill does not request 'always: true' and does not modify other skills or system-wide agent settings. It may create files under ~/.openclaw/dictionaries and supports cron-based periodic checks (explicit and user-enabled), which is appropriate for update automation. Autonomous invocation is allowed by default (platform normal).