Back to skill
Skillv1.0.16
ClawScan security
Que Yin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 28, 2026, 8:21 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated purpose (local load/status reporting and simple scheduling); it does not request credentials, install remote components, or contact external endpoints.
- Guidance
- This skill is a small, self-contained Node script that reports local CPU/memory/uptime and makes simple scheduling decisions; it neither contacts external servers nor requests secrets. Before installing: (1) note the package source is 'unknown' and there's no homepage—if you require provenance, ask the publisher or review the code yourself (we inspected scripts/index.js and found it benign); (2) understand that outputs reveal local system metrics—avoid sending those reports to untrusted external parties; (3) if you plan to run it on multi-tenant or sensitive hosts, review and test it in a safe environment first.
Review Dimensions
- Purpose & Capability
- okName/description (负载均衡、监控、调度、报告) align with the provided SKILL.md and the single JS file: getStatus(), schedule(), loadReport(). No unrelated binaries, env vars, or config paths are required.
- Instruction Scope
- okSKILL.md describes exactly the three capabilities implemented. The instructions and code only read local OS metrics via Node's 'os' module and expose CLI/exports; they do not read other files, environment secrets, or send data to external endpoints.
- Install Mechanism
- okNo install spec is provided (instruction-only plus a small local script). Nothing is downloaded or written to disk beyond the included script.
- Credentials
- okThe skill declares no required environment variables or credentials and the code does not access process.env or other secret/config paths. Requested privileges are proportional to its function.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-wide changes. Autonomous invocation is allowed (platform default) but the skill itself does not escalate privileges or alter other skills.