Skillv1.0.1

ClawScan security

坐标转换 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 11, 2026, 1:51 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent: it provides a small, local GeoJSON WGS84↔Web Mercator converter, requires no credentials or exotic installs, and its instructions and code match the stated purpose.
Guidance: This appears to be a straightforward local GeoJSON coordinate converter. Before installing/running: (1) ensure you install pyproj from a trusted source (pip) in a controlled environment, (2) run the script on sample/test files first to confirm output, and (3) review/scan the included script if you require stricter assurance. There are no network calls or credential requests in the code, so risks are limited to running arbitrary local Python code from an untrusted source—treat the repository origin accordingly.

Purpose & Capability: okName/description match the included script and SKILL.md. The requested dependencies (pyproj) and CLI behavior are appropriate for GeoJSON coordinate transforms; there are no unrelated binaries, env vars, or surprising permissions.
Instruction Scope: okSKILL.md only instructs running the included script and installing pyproj. The runtime instructions operate on local GeoJSON files and do not request unrelated files, environment variables, or network endpoints.
Install Mechanism: okNo install spec is provided (instruction-only). The README suggests installing pyproj via pip, which is standard; there are no downloads from unknown URLs or archive extraction steps.
Credentials: okThe skill declares no environment variables, credentials, or config paths. The code does not access secrets or external services—only local file I/O and pyproj transforms.
Persistence & Privilege: okalways is false and the skill does not modify agent/system configuration or other skills. It only reads an input file and writes an output file if requested.