Back to skill
Skillv0.1.0
ClawScan security
pddl-skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 15, 2026, 12:33 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's described purpose (PDDL planning, validation, and saving) is coherent, but the SKILL.md references Python libraries and a LICENSE file while the package declares no dependencies or install steps — this mismatch should be resolved before trusting or installing it.
- Guidance
- This skill appears to do what it says (load PDDL, run a classical planner, validate, and save plans) but the SKILL.md assumes Python libraries (unified_planning and a planner like pyperplan) and mentions a LICENSE.txt that isn't included. Before installing or invoking it: 1) confirm the agent/runtime already has unified_planning and the planner backend installed (or ask the author for a pip install spec or requirements list); 2) request the missing LICENSE.txt or verify licensing terms; 3) be aware the skill will read the PDDL files you point it at and write plan files to disk — only provide trusted inputs/paths; 4) if you want the skill to be self-contained, ask the publisher to add an install spec (pip package names and versions) or include code files so dependency installation is explicit.
- Findings
[NO_FINDINGS] expected: The registry scanner found no code files to analyze (instruction-only SKILL.md). This is expected for an instruction-only skill, but it means dependency/installation risks must be judged from the prose rather than code patterns.
Review Dimensions
- Purpose & Capability
- noteThe name/description and the runtime instructions align: the skill is about loading PDDL files, generating and validating plans using unified_planning and a classical planner (pyperplan). That purpose legitimately requires the Python unified_planning framework and a planner backend.
- Instruction Scope
- noteInstructions are scoped to PDDL tasks (loading domain/problem files, generating/validating plans, and writing plan files). They explicitly read and write user-specified files (domain/problem/plan) which is expected for this functionality. The SKILL.md assumes access to specific Python APIs (unified_planning.io.PDDLReader, OneshotPlanner, PDDLWriter, SequentialPlanValidator) but does not instruct the agent to install or verify those dependencies.
- Install Mechanism
- concernThere is no install spec and no declared dependencies. SKILL.md requires unified_planning and a planner backend (pyperplan) but the registry metadata lists no required packages, binaries, or install steps. This is an operational gap: the instructions will fail unless the runtime already has those Python libraries. Also the file notes a proprietary LICENSE.txt but no LICENSE file is present in the package manifest.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. Its file I/O is limited to user-supplied domain/problem files and writing plan outputs, which is proportional to the stated purpose.
- Persistence & Privilege
- okThe skill does not request always:true and is user-invocable only; it does not declare any persistent or privileged behavior. Autonomous invocation is allowed by platform default but is not combined with other high-risk factors here.