ClawHub

GHIN Golf Tracker

v1.3.0

Analyzes local GHIN golf JSON data to report handicap trends, scoring patterns, course stats, and yearly performance without external connections.

1· 543·1 current·1 all-time
byPaul Frederiksen@pfrederiksen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description promise (local analysis of GHIN JSON) matches the files and code: the Python script reads a JSON file, computes statistics, and outputs text/JSON. There are no unrelated required binaries or environment variables.
Instruction Scope
SKILL.md and README restrict operation to reading a single .json file and producing analysis. The script enforces a .json suffix and validates expected keys. The docs explicitly deny network/subprocess/file-write behavior and the code shown adheres to that scope.
Install Mechanism
This is an instruction-only skill (no install spec). README suggests installing via 'clawhub' or cloning a GitHub repo (https://github.com/pfrederiksen/ghin-golf-tracker). Because the registry 'Source' is unknown and homepage is empty, confirm the canonical repository and install source before running.
Credentials
The skill requests no environment variables, no credentials, and no config paths. The README warns that data collection (not included) may require credentials — which is appropriate and kept separate from this skill.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistence. It does not attempt to modify other skills or system settings; it is a simple local analyzer.
Scan Findings in Context
[base64-block] unexpected: A base64 data URI (embedded SVG badge) appears in the README and triggered the base64-block detector. This is common for Markdown badges and likely benign, but it is unrelated to the skill's core purpose and worth a quick manual check to confirm there are no hidden payloads.
Assessment
This skill appears to do exactly what it claims: analyze a locally-provided GHIN JSON file with no network or credential usage. Before installing or running it: 1) verify the repository/source (README references a GitHub repo) to ensure you obtained the unmodified code from a trusted location, 2) inspect the entire scripts/ghin_stats.py file (the provided extract looked consistent, but confirm the truncated tail contains no network or file-write operations), 3) do not give your GHIN credentials to any other skill or agent that would perform data collection; if you must use automated scraping, prefer manual exports or use trusted tooling in an isolated environment, and 4) run the script on sample data or in a sandbox if you are unsure. If you want higher assurance, provide the full script content (untruncated) so it can be re-reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk9716bdfp78g0efzngqv9wdhp981qqwc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments