Skillv1.0.0

ClawScan security

Birthday Reminder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:39 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions disagree about where and how birthdays are stored (markdown vs JSON) — behavior is coherent for a birthday tool but the documentation/code mismatch could cause data loss or unexpected writes.
Guidance: This skill appears to implement a simple local birthday manager and contains no networking or secret access, but there is a clear mismatch between the human-readable SKILL.md and the actual scripts: SKILL.md says to store and append markdown in /home/clawd/clawd/data/birthdays.md, while both scripts read/write /home/clawd/clawd/data/birthdays.json as a JSON dictionary. Before installing or enabling the skill: 1) Back up any existing birthdays.md and birthdays.json in /home/clawd/clawd/data. 2) Decide whether you want markdown or JSON storage; if you rely on the markdown file, the provided scripts will not read it. 3) Inspect or run the scripts in a sandbox to confirm the behavior (add/list/check) and ensure they meet your expectations. 4) If you accept the JSON approach, update SKILL.md or the agent instructions so the agent and scripts use the same path/format to avoid silent data loss. Finally, note the skill's source/homepage are unknown — trust this only if you reviewed the code yourself or run it in an isolated environment.

Review Dimensions

Purpose & Capability: concernThe skill claims to store entries in /home/clawd/clawd/data/birthdays.md (markdown lines) and describes appending to that file, but both included scripts read/write /home/clawd/clawd/data/birthdays.json and manage a JSON object keyed by name. The documented file format and the actual on-disk format differ, and the 'append' described in SKILL.md does not match the scripts' behavior (scripts overwrite/update a JSON dictionary). This is an incoherence between description and implementation.
Instruction Scope: noteSKILL.md instructs the agent to read/append a birthday markdown file in the user's home-data path and refers to check_reminders logic; the shipped scripts operate only on files under /home/clawd/clawd/data and do not access external networks, other system paths, or environment variables. The main concern is the mismatch in file path/format (MD vs JSON) which could lead the agent to write to a different file than the scripts read, producing surprise or data loss.
Install Mechanism: okThere is no install spec (instruction-only at registry level) and included scripts are plain Python files — nothing is downloaded or executed from remote URLs during installation. This is the lower-risk install pattern.
Credentials: okThe skill requests no environment variables, no credentials, and touches only a data file under /home/clawd/clawd/data. No excessive or unrelated secrets are requested.
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges. It will create and write files under /home/clawd/clawd/data (the scripts create the parent directory if missing), which is expected for local data storage but should be noted because it writes to the user's home-area.