Back to skill
Skillv1.0.1
ClawScan security
date-count · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 14, 2026, 1:53 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a simple, instruction-only countdown skill that stores events in a local JSON file under ~/.openclaw/skills/countdown_skill/ and does not request credentials, perform installs, or contact external endpoints.
- Guidance
- This skill is coherent and low-risk: it only reads and writes a JSON file at ~/.openclaw/skills/countdown_skill/countdown.json to store events. Before installing, confirm you are comfortable giving the agent access to that path (so it can read/write the file). There are no network calls or credential requests. If you want extra safety, inspect the generated JSON file and set filesystem permissions so only your user can access it; avoid placing sensitive data inside the countdown file.
Review Dimensions
- Purpose & Capability
- okThe name/description (countdown tool) matches the behavior: storing and reading dates from a JSON file. No unrelated env vars, binaries, or network access are requested.
- Instruction Scope
- noteSKILL.md directs the agent to read/write a fixed local file path (~/.openclaw/skills/countdown_skill/countdown.json) and to present countdown results. This is within the stated purpose, but the agent requires filesystem access to that path; the instructions do not request reading any other files or variables.
- Install Mechanism
- okNo install steps or downloads are present (instruction-only). Nothing will be written to disk by an installer beyond the skill's documented JSON file which is expected behavior.
- Credentials
- okNo environment variables, credentials, or external service access are required. The single storage file is a reasonable, proportional requirement for this functionality.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated privileges or modify other skills or system-wide configuration. It persists only via its own JSON file in the user's home directory.