Skillv1.0.1

ClawScan security

Unit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 9:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it claims (offline unit conversions + online currency lookups) and does not request unrelated credentials, but the included Python code is sloppy and writes a cache file to the user's home directory and the full source was truncated in the review, so further inspection/testing is recommended.
Guidance: This skill is internally consistent: it runs a bundled Python script for conversions and uses exchangerate.host for currency rates. Before installing, consider: 1) The script will attempt network requests for currency lookups — confirm your environment allows that and you are okay with contacting https://api.exchangerate.host. 2) It writes a cache file to your home directory (~/.unit_converter_cache.json); review/clean that file if needed. 3) The Python code contains duplicated keys and comment/confusion about unit definitions (potential calculation inaccuracies) — test conversion results against authoritative sources if accuracy is important. 4) Because the full source in the package was truncated in the review, you may want to open/read the entire unit_converter.py to confirm there are no unexpected network calls, telemetry, or file accesses beyond the cache and exchangerate.host usage. If you plan to allow autonomous agent invocation, remember the skill can be executed by the agent without additional prompts; if that is a concern, restrict invocation or review the code thoroughly first.

Review Dimensions

Purpose & Capability: okName/description describe unit conversions and realtime currency rates. The package includes a converter script and SKILL.md that instructs use of exchangerate.host for currency data — these requirements align with the stated purpose.
Instruction Scope: noteRuntime instructions tell the agent to run the bundled Python script or, if unavailable, to call exchangerate.host via requests. The instructions do not ask the agent to read unrelated files or environment variables. Note: the script persists a cache file in the user's home (~/.unit_converter_cache.json) and makes outbound HTTP requests for currency rates (expected for this skill).
Install Mechanism: okNo install spec; skill is instruction + code. requirements.txt only references 'requests'. No downloads from unknown URLs or archive extraction; low install risk. The SKILL.md tells users to 'pip install requests' if missing.
Credentials: okThe skill declares no required environment variables or credentials. Network access is needed only for currency lookups (exchangerate.host) which matches the described behavior. No unrelated secrets or config paths are requested.
Persistence & Privilege: notealways:false (normal). The script will create/modify a cache file at Path.home()/.unit_converter_cache.json, which is within the skill's scope but is persistent filesystem activity the user should be aware of.