Skillv1.0.3

ClawScan security

Huangxianshi Divination · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 6:54 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to implement the claimed divination functionality, but there are inconsistencies and small risks (missing/ mismatched data filenames, inconsistent sign field names, and a shell script that fetches wttr.in and sleeps until sunrise) that warrant review before installing or running unattended.
Guidance: What to check before installing or running: - Functionality vs data: there are inconsistent key names ('no' vs 'number') between the SIGNS entries and some code paths (save_last_draw, find_sign_by_no). This will likely break 'explain' behavior or produce null values in last_draw.json — review and test the CLI locally. - Missing/mismatched files: SKILL.md mentions data/signs_cache.json but repository provides scripts/signs_data.py; the code handles both, but the mismatch indicates sloppy packaging. Verify the data source your agent will actually use. - draw_at_sunrise.sh: this shell script (not mentioned in SKILL.md) makes an HTTP request to wttr.in and sleeps until sunrise, then runs the draw. Only run/schedule it if you understand it will perform a network call and may block for long periods; run it in a controlled/sandboxed environment if you want the sunrise feature. - Data written: the skill will create/modify data/last_draw.json in the skill directory. If you are concerned about local filesystem writes, inspect and sandbox that directory (or adjust the code to use a safe path). - No credentials requested and no obfuscated code were found, but the code contains small logic bugs and undocumented behavior. If you plan to enable autonomous invocation or schedule the shell script, first run the CLI manually to validate outputs and fix the 'no'/'number' inconsistencies. If you are not comfortable reviewing/fixing the minor issues, run this skill in an isolated environment or decline to install.

Review Dimensions

Purpose & Capability: noteThe files and code implement a local divination/interpretation tool matching the skill description. However there are minor mismatches: SKILL.md mentions data/signs_cache.json while the package ships with scripts/signs_data.py (the code prefers importing signs_data.py but falls back to signs_cache.json). Some functions use keys named 'number' while the provided SIGNS entries use 'no' which will cause runtime bugs (e.g., save_last_draw uses 'number' and may write null). The presence of a draw_at_sunrise.sh helper (not documented in SKILL.md) is logical for a 'draw-at-sunrise' feature but was not referenced in the instructions.
Instruction Scope: concernSKILL.md runtime instructions are largely limited to running the included Python CLI and formatting output (ok). But there are notable gaps: SKILL.md references a JSON cache file that is not present; the code will import signs_data.py instead. The code writes data/last_draw.json (persists the last draw) — SKILL.md did not mention persistence. The included draw_at_sunrise.sh script issues an external HTTP request to wttr.in to get sunrise time and sleeps until that time (long-running process). That script is not mentioned in SKILL.md and could be run by an operator or scheduled; it performs network access and can block for long periods. There are also inconsistent field names in the code vs data that can change runtime behavior and error handling.
Install Mechanism: okInstruction-only + included scripts; no install spec, no remote downloads or package installs. This is low-risk from installation perspective (nothing is automatically written to disk by an installer).
Credentials: okThe skill requests no environment variables or credentials. The only external network call is the optional draw_at_sunrise.sh using wttr.in to obtain sunrise time, which is proportionate to the script's purpose but should be noted.
Persistence & Privilege: noteThe skill writes a small file data/last_draw.json to persist the last drawn sign (normal for this use). It does not declare always:true and does not modify other skills or system config. The draw_at_sunrise.sh script may run as a long-lived job if started manually or scheduled; be cautious about running it unattended.