Skillv1.4.1

ClawScan security

Sun Path & Environmental Analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 1:31 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, requirements, and runtime instructions are coherent with its stated purpose (sun path, shadow and comfort analysis); nothing in the bundle requests unrelated credentials, network endpoints, or system-wide privileges.
Guidance: This skill appears to do exactly what it says: local Python scripts that calculate solar geometry, shadowing, and create plots. Before installing or using it: 1) Review and run the scripts in a controlled environment (virtualenv/container) and install the requirements from requirements.txt rather than system-wide. 2) Be mindful of the SKILL.md instruction to 'execute without confirmation' — if you allow autonomous agent invocation, the agent may run the scripts immediately when asked; if you want manual control, disable autonomous invocation or require confirmation. 3) When using terrain_shadow, only pass DEM files you trust and watch memory/CPU usage (the algorithm is potentially slow for large rasters). 4) PUBLISH.md contains deployment notes and an IP address (author's example); that is documentation only and not executed by the skill — nevertheless, verify the author's identity/source if you prefer published skills from known repos. 5) If you need stricter controls, run the skill in an isolated agent or sandbox and monitor file outputs under the allowed media dirs before enabling it for broad/autonomous use.

Review Dimensions

Purpose & Capability: okName/description match the included scripts and requirements. The Python scripts implement sun-position, sun-path plotting, building shadow, annual hours, terrain DEM shadow, and a psychrometric plot; the listed Python packages are appropriate for these tasks.
Instruction Scope: noteSKILL.md instructs the agent to run the included scripts via shell exec and to write/send generated images from allowed media dirs. This stays within the skill's purpose. One attention point: the instructions explicitly say 'Do not ask for confirmation; execute and return the image and a short summary' — that reduces user-interaction checks and could lead to unexpected immediate execution if the agent is allowed autonomous invocation. Functionally, however, the commands only read user-specified inputs (coordinates, DEM path, building dims) and write outputs.
Install Mechanism: okNo install spec is present (instruction-only), so nothing is downloaded or executed at install time. Dependencies are standard Python packages listed in requirements.txt; the README asks the user to run pip install -r requirements.txt manually. No remote URLs or archive extraction occur during install.
Credentials: okThe skill declares no environment variables, no credentials, and no config paths. The scripts don't read env vars or secret files — they operate on parameters and user-supplied DEM files only. This is proportionate to the stated functionality.
Persistence & Privilege: notealways is false and the skill does not request persistent or system-wide changes. However, because SKILL.md requires shell exec and instructs the agent to run scripts without asking for confirmation, an autonomously-invoked agent (the platform default) could execute those scripts immediately when triggered. That increases the practical blast radius but is coherent with the skill's operation (image generation) and not excessive by itself.