Skillv1.0.0

ClawScan security

Mood Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 17, 2026, 7:30 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions align with a simple mood-tracking CLI, but there are inconsistencies about required binaries/install steps and no source/homepage — verify installation and provenance before using.
Guidance: This skill appears to be a simple CLI-based mood tracker, but the package metadata/readme and SKILL.md disagree about how it's installed and what binaries are required. Before installing: 1) Ask the publisher for the source repository or homepage to inspect the code and confirm provenance. 2) Confirm what runtime is required (the SKILL.md expects a 'clawhub' CLI — do you have or trust that CLI?), and whether installation uses npm/npx (which will fetch and run code). 3) If the Pro/AI features contact remote services, ask where data is sent and how it's stored. 4) Prefer installing/testing in a sandbox or VM if you cannot verify the author. The inconsistencies make this suspicious rather than clearly benign.

Review Dimensions

Purpose & Capability: noteName/description (mood tracking, analysis, tips) match the SKILL.md commands (clawhub mood ...). However the package metadata and README disagree about runtime dependencies: the SKILL.md expects a 'clawhub' CLI, README shows installation via 'npx clawhub@latest', while _meta.json lists 'curl' as a required binary. The registry listing itself declared no required binaries. This mismatch is disproportionate to the simple stated purpose and should be clarified.
Instruction Scope: okThe runtime instructions are narrowly scoped: they instruct invoking local CLI commands (clawhub mood log/pattern/tips/trigger). They do not ask the agent to read arbitrary files, access environment variables, or send data to external endpoints directly. There is no broad or vague guidance that would grant the agent wide discretion.
Install Mechanism: noteThis is an instruction-only skill with no install spec or code files (lower risk). But README suggests using 'npx clawhub@latest install mood-tracker' (implying npm/npx and fetching code), while _meta.json requires 'curl' — neither is represented in the registry-required binaries. Because installation may involve fetching code with npx/npm, that would write code to disk; the absence of an explicit, consistent install spec is a concern to verify.
Credentials: okNo environment variables, credentials, or config paths are declared or referenced in SKILL.md. The skill does not request secrets or unrelated credentials; this is proportionate for a local CLI-based mood tracker.
Persistence & Privilege: okThe skill is not marked always:true and has no install-time hooks declared. It does not request persistent privileges or attempt to modify other skills' configs. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.