Back to skill
Skillv1.0.0
ClawScan security
Pollen rapporten · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 11:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and resource files are coherent with its stated purpose (fetching Swedish pollen forecasts) and do not request unrelated credentials, perform hidden I/O, or download remote code.
- Guidance
- This skill is narrowly focused: it reads the included regions.json and performs HTTPS requests to api.pollenrapporten.se to produce readable forecasts. Before installing, ensure you are comfortable with a skill having outbound network access to that API (required to function). The SKILL.md uses $OPENCLAW_HOME in examples but the script uses a path relative to its file and does not require extra environment variables or credentials. If you need stronger assurance, review the included get_forecast.py yourself (it's small and readable) or run it in an isolated environment; otherwise it appears safe and coherent for its described purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the implementation: the script loads a local region mapping and calls api.pollenrapporten.se to fetch forecasts and pollen-type metadata. Nothing in the manifest asks for unrelated credentials, binaries, or system access.
- Instruction Scope
- okSKILL.md and the Python script limit actions to reading the included references/regions.json and performing HTTPS GETs to the declared API endpoints. There are no instructions to read arbitrary user files, environment secrets, or send data to unexpected endpoints. Note: SKILL.md examples reference $OPENCLAW_HOME for convenience, but the code uses a relative path and does not require that environment variable.
- Install Mechanism
- okNo install spec; the skill is instruction-plus-script only. No external downloads or package installs are performed by the skill.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not read sensitive env vars. Network access to the pollen API is required and is proportional to the stated function.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify agent/system configuration or other skills. It only runs as a user-invoked Python script when invoked.