English Learn Cards
PassAudited by ClawScan on May 1, 2026.
Overview
No material suspicious behavior is evident; the skill is a vocabulary flashcard helper that stores learning data locally and can optionally fetch dictionary audio.
This appears safe for its stated purpose. Before installing, be comfortable with a local Python helper modifying a SQLite database under ~/clawd/memory by default, and avoid adding sensitive phrases if you plan to use the audio lookup feature.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may cause the agent to run the bundled Python helper to create or modify the vocabulary database.
The skill expects the agent or user to run a local Python helper for database operations. This is disclosed and central to the skill's purpose, but it is still local code execution.
Use the helper for all DB operations: ```bash python skill/scripts/words.py init python skill/scripts/words.py migrate python skill/scripts/words.py add "implement" ...
Use the helper only for the documented flashcard commands and review the script before installing if you are cautious about local code execution.
Your vocabulary cards, review history, and related learning data may remain on disk across sessions.
The skill intentionally creates persistent local memory for vocabulary cards and SRS state. Persistent learning data is expected here, but users should know where it is stored.
SQLite DB path is controlled via env var: - `ENGLISH_LEARN_CARDS_DB` (default: `~/clawd/memory/english-learn-cards.db`)
Set ENGLISH_LEARN_CARDS_DB to a location you control, avoid adding sensitive private phrases, and back up or delete the database as needed.
If audio lookup is used, the word or phrase being looked up may be sent to Cambridge Dictionary.
The helper includes an outbound Cambridge Dictionary lookup for audio URLs, which can send the requested headword to an external provider.
url = f"https://dictionary.cambridge.org/dictionary/{dict_path}/{requests.utils.quote(headword)}"
try:
r = requests.get(Avoid using `--fill-audio` or `cambridge-audio` for sensitive phrases, and document this external lookup for users.
The skill may not work until the Python dependency is available, and users may need to decide how to install it safely.
The helper depends on the external Python package `requests`, while the provided metadata says there is no install spec or required binaries. This is an under-declared dependency rather than evidence of malicious behavior.
import requests
Pin and declare Python dependencies in an install spec or README so users can install from a known, reviewable source.