Skillv1.0.3

ClawScan security

system-info-windows-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 4, 2026, 6:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (local system info gathering) and do not request credentials or network access; minor cross-platform claims are overstated but not dangerous.
Guidance: This skill appears to do exactly what it claims: read local system information and print it. Before installing, consider: (1) Source verification — the package author/source is unknown; review the included script (scripts/system_info.py) yourself (it is small and readable). (2) Cross-platform limitations — despite claiming macOS support, the memory-reading code uses /proc/meminfo (Linux) and a Windows-specific API; on macOS memory reporting will fall back to zeros. (3) Safety — the script only reads local system APIs/files and does not make network calls or request secrets, so risk is low; if you are concerned, run it in a controlled environment or inspect/execute the script manually rather than installing automatically.

Purpose & Capability: okThe skill's name, description, and included Python script all focus on collecting local system information (OS, CPU, memory, disk). It does not request unrelated credentials, binaries, or config paths. Minor mismatch: SKILL.md/README claim full macOS/Linux/Windows support while the memory path implements Linux (/proc/meminfo) and a Windows-specific ctypes call; macOS memory information will fall back to zeros.
Instruction Scope: okRuntime instructions only tell the agent to run the bundled Python script with optional flags. The script reads local system APIs/files (platform, /proc/meminfo on Linux, Windows GlobalMemoryStatus via ctypes, shutil.disk_usage) and prints JSON or table output. It does not perform network calls, write to external endpoints, or access unrelated files or env vars.
Install Mechanism: okThere is no install spec that downloads or executes external artifacts; the skill is instruction-only with a bundled script. This is low-risk from an installation perspective.
Credentials: okThe skill requests no environment variables or credentials. Its operations are limited to reading local system state, which is proportional to the stated purpose.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence or modify other skills/config. It runs only when invoked.