Back to skill
Skillv1.0.0
ClawScan security
Unit Converter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 12:46 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only unit converter with a local Python script that matches its description and does not request credentials or perform network actions.
- Guidance
- This skill appears coherent and low-risk: it runs a local Python converter script and does not use network, credentials, or external services. Before installing, you may (1) quickly scan the full script to confirm there are no hidden network/file operations (the provided snippet shows only conversion logic), (2) test common conversions in a sandbox or isolated environment, and (3) note small issues/typos in unit alias mappings (e.g., a malformed mapping for some 'fluid ounce' aliases in the provided snippet) — these are bugs, not security problems. If you expect strict unit name handling, verify the script's alias mapping and temperature case rules and fix locally if needed.
Review Dimensions
- Purpose & Capability
- okName/description (unit conversion) aligns with the provided files and runtime instructions. The included Python script implements length, weight, temperature, area, volume, speed, time, and data conversions — consistent with the SKILL.md.
- Instruction Scope
- okSKILL.md only instructs running the local Python script and listing/showing units. It does not direct reading unrelated system files, accessing environment variables, calling external endpoints, or collecting/transmitting user data. A minor note: SKILL.md mentions case-sensitivity for temperature and the script normalizes many inputs to lowercase but expects 'C','F','K' for temperature — users should follow the documented usage.
- Install Mechanism
- okNo install spec; the skill is instruction-only with a single local script. Nothing is downloaded or written to disk by an install process, so install-risk is minimal.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The script operates purely on CLI args and internal tables, so requested privileges are proportional to its purpose.
- Persistence & Privilege
- okalways is false and model invocation is not disabled (default). The skill does not request persistent system changes or attempt to modify other skills or system settings.