Skillv1.0.0

ClawScan security

Bird Information · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 2, 2026, 3:38 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it fetches and parses public pages from dongniao.net to return bird information, requests no credentials, and has no high-risk install steps.
Guidance: This skill appears to do what it says: it fetches public pages from dongniao.net and parses them locally. Before installing, consider: (1) it requires network access to dongniao.net and will download the taxonomy page (~600KB) on first use; (2) parsing is regex-based and may fail or miss fields for some species (the code currently prioritizes exact matches, not fuzzy matching despite older docs); (3) no credentials are requested and there are no external installers, so risk is low—but if you need stronger guarantees, review the Python script (scripts/bird_info_skill.py) yourself or run it in a sandboxed environment. If you rely on fuzzy/partial matching, note the implementation intentionally returns only exact matches per its test report.

Purpose & Capability: okName/description claim (query bird info from dongniao.net) matches the code and files: the Python script downloads the taxonomy page and detail pages from https://dongniao.net and extracts bird data. Required binary is only python3, which is appropriate for the implementation.
Instruction Scope: noteSKILL.md instructs the agent to use web_fetch and describes fuzzy matching, but the included implementation performs HTTP fetches via requests/urllib and (per test report/code) now requires exact matches (no partial/fuzzy matching). The skill only fetches public dongniao.net pages and formats parsed content; it does not read system secrets or call external endpoints beyond the stated site. Parsing is regex-based and brittle, which is a functional (not security) limitation.
Install Mechanism: okThis is an instruction-only skill with no install spec. The bundle includes Python scripts but no package downloads or external installers. No arbitrary URL downloads or archive extraction were found.
Credentials: okNo environment variables, credentials, or config paths are requested. The code does network fetches to a public website (dongniao.net) and does not attempt to access unrelated services or secrets.
Persistence & Privilege: okSkill does not request always:true and is user-invocable. It does not modify other skills or system-wide configs. Normal autonomous invocation (disable-model-invocation:false) is unchanged and expected.