Back to skill
Skillv1.0.0
ClawScan security
sleep-wakeup advisor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 10:52 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose: it only contains instructions to compute wake-up times, requires no credentials or installs, and doesn't ask for unrelated system access.
- Guidance
- This skill appears safe from a permissions/credentials perspective. Before installing, consider: (1) test how it handles your timezone and late-night edge cases, (2) confirm how it determines China public holidays (the SKILL.md doesn't specify a data source), and (3) be aware it triggers on the phrase "晚安" which could fire whenever you say it. If you need holiday/calendar integration or user-specific bedtimes, ask the developer to explicitly declare the data source and any calendar permissions required.
Review Dimensions
- Purpose & Capability
- okName and description match the runtime instructions: the SKILL.md describes exactly how to compute and rank sleep-cycle wake times. The skill declares no binaries, env vars, or installs—reasonable for a pure calculation/advice skill.
- Instruction Scope
- noteInstructions are narrowly scoped to computing wake times and ranking them, but a few operational ambiguities exist: it requires determining 'China public holidays' and the day type without specifying a holiday data source or timezone, and it triggers whenever the user says "晚安" (which may cause unexpected invocations). The instructions do not request reading user files or credentials and do not send data to external endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This minimizes write-to-disk or network install risk.
- Credentials
- okNo environment variables, credentials, or config paths are requested, which is proportionate for a local-timing calculation skill.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request persistent or elevated privileges or modify other skills/configuration.