Skillv1.3.0

ClawScan security

Arknights Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 2:52 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This Arknights skill is internally consistent: it provides game guidance and intentionally reads/writes a local JSON 'doctor profile' via the included scripts/memory.py, requests no external credentials, and has no install step.
Guidance: This skill appears to do what it says: answer Arknights questions and optionally read/update a local doctor-profile JSON stored by default at ~/.config/arknights-skill/doctor-profile.json (or a custom ARKNIGHTS_MEMORY_DIR). Consider the following before installing: - Privacy: the skill will read and write account-related facts (UID, operator ownership, levels, resource notes). It explicitly tries to avoid storing full conversations or screenshots, but review the JSON file contents yourself to confirm you’re comfortable with the data stored. - Filesystem access: the included script may migrate a legacy profile from a skill-relative path into your config directory if present. If you don’t want that, remove the legacy file or set ARKNIGHTS_MEMORY_DIR to a safe location. - Network freshness: the SKILL.md says version-sensitive answers should be retrieved online if the agent has network access. The skill itself does not include network code or credentials — if the agent or environment has web access it may perform external queries; be mindful of that behavior. - Inspectability: because there is an included helper script (scripts/memory.py), you can open it (already bundled) and confirm it performs only local JSON read/write/migration and enforces short-field limits. If you want absolute assurance, review the full script to verify there are no remote endpoints or hidden behavior. If you’re comfortable with a local profile file being created/updated and you or your agent environment may perform network lookups for freshness, this skill is coherent and reasonable to install. If you prefer no local persistence, do not enable local file access or set ARKNIGHTS_MEMORY_DIR to a directory you control or to a temporary location.

Review Dimensions

Purpose & Capability: okThe declared purpose (Arknights guidance + optional local 'doctor' profile) matches the actual artifacts: SKILL.md explains how to read/update a local profile and the repository includes scripts/memory.py that implements that functionality. There are no unrelated requested credentials or binaries.
Instruction Scope: noteInstructions explicitly direct the agent to read and update a local JSON profile (default ~/.config/arknights-skill/doctor-profile.json) and to search a few likely skill directories if env vars are missing. This is expected for a per-account memory feature, but it does grant the skill read/write access to a file in the user's home config area. The SKILL.md constrains what may be stored (no full dialogues, no screenshots, short factual fields only) and describes migration behavior from a legacy skill-relative path.
Install Mechanism: okNo install spec is present; the skill is instruction-only with one helper script included (scripts/memory.py). Nothing is downloaded or extracted from external URLs and no packages are installed by the skill.
Credentials: okThe skill does not declare or require any credentials or sensitive environment variables. It uses optional env vars (ARKNIGHTS_MEMORY_DIR, CLAUDE_SKILL_DIR / SKILL_DIR) to locate the local profile — these are reasonable for local configurability and proportional to its purpose.
Persistence & Privilege: noteThe skill writes (and may migrate) a local profile file under the user's config directory. always is false and the skill does not request system-wide privileges or other skills' credentials. Writing a JSON profile to ~/.config/arknights-skill is expected behavior but is a persistence action the user should be aware of.