Skillv1.0.0

ClawScan security

个人AI能力测评工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 3:22 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (a local personal AI assessment tool) and does not request extra credentials or network access, but the shipped files contain implementation inconsistencies and missing pieces that may make it non-functional or require further review before use.
Guidance: This skill is internally consistent with being a local AI-capability assessment tool and does not request keys or network access. Before installing/using: 1) Inspect scripts/assessment_tool.py completely — the provided file appears truncated in the package and contains at least one coding error (e.g., mismatched variable name 'sorted_dimension' vs 'sorted_dimensions'), so it may not run as-is. 2) Note the tool writes user answers/reports to ~/.openclaw/workspace/ai_assessment_reports — treat those files as potentially sensitive and avoid sharing them unless you consent. 3) Verify there are no hidden network calls or telemetry in the remainder of the code (the supplied snippet shows no network usage, but the file is incomplete). 4) Test the script in an isolated environment (or review/complete the code) before giving it broader access or using with real personal data. If you want, I can (a) review the remainder of the script if you provide the full file, or (b) suggest minimal hardening steps (e.g., encrypting reports, adding explicit consent prompts before export/share).

Purpose & Capability: okName/description match the included code and SKILL.md: the package implements a local assessment questionnaire, scoring, report generation, and suggested learning paths. It does not request unrelated credentials or binaries.
Instruction Scope: noteSKILL.md instructs the agent to run a local assessment workflow and export reports (Markdown/PDF). The instructions do not ask the agent to read unrelated system files or secrets. However, report export/share features are mentioned without detailing where/with whom reports are shared; the code writes files into ~/.openclaw/workspace which may contain user data (answers/report).
Install Mechanism: okNo install specification; this is instruction-only plus a local Python script. No external downloads or package installs are declared.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code uses only a local workspace directory under the user's home; no secrets or external service credentials are requested.
Persistence & Privilege: notealways:false (normal). The script creates and writes reports into ~/.openclaw/workspace/ai_assessment_reports — reasonable for a reporting tool but worth noting because user answers and reports will be stored on disk. The skill can be invoked autonomously by the agent (platform default).