Skillv1.0.0

ClawScan security

Bytesagain Study Plan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 2:41 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill implements a local study-plan CLI that writes local data files and does not request credentials or network access; the implementation is coherent with its purpose though there are small inconsistencies (missing declared binary dependency and a mismatched example command).
Guidance: This skill appears to be a local study-plan CLI and is internally coherent for that purpose, but check the following before installing or running: - The scripts call python3; ensure python3 is installed on your system (the skill did not declare this dependency). - The tool will create and write files under a data directory (default: ~/.local/share/study-plan) — if you care about where data is stored, set STUDY_PLAN_DIR or XDG_DATA_HOME before running. - SKILL.md examples reference a 'run' command that isn't implemented; use the actual commands (help, plan, daily, review, pomodoro, add, list, etc.) as shown in the scripts. - If you want to be extra cautious, run the scripts in a sandbox or inspect/execute them manually rather than allowing automatic installation/execution. No credentials, network endpoints, or obfuscated code were found, so there is low risk of secret exfiltration based on the provided files.

Review Dimensions

Purpose & Capability: okName/description (study-plan generator, schedules, reminders) match the shipped files: two shell scripts and a Python program that generate plans, daily schedules, reviews, and pomodoro guidance. The functionality is local and consistent with the stated purpose.
Instruction Scope: noteSKILL.md and examples are focused on creating study plans and invoking the CLI. One minor mismatch: SKILL.md examples show 'study-plan run' but the provided script implements commands like add/list/today/plan/daily/review/pomodoro and does not define a 'run' command. The scripts write data to a local data directory (DATA_DIR) and maintain history.log; SKILL.md does not explicitly document that but the behavior is reasonable for a local CLI.
Install Mechanism: concernThere is no install spec (instruction-only), yet the package includes executable scripts that invoke 'python3'. The registry metadata declared no required binaries, but the scripts require a working python3 runtime. This is an inconsistency: the skill will fail unless python3 is present, but the skill does not declare that dependency.
Credentials: okThe skill requests no credentials or secrets. It optionally respects STUDY_PLAN_DIR and XDG_DATA_HOME environment variables to control the data storage location; otherwise it writes under the user's home directory (~/.local/share/study-plan). This is proportionate to a local CLI that stores tasks and history.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated privileges. It persists user data in a dedicated data directory and log files under the user's home (or XDG_DATA_HOME). That local file writing is expected for a task manager and remains within its scope; it does not modify other skills or system-wide settings.