Back to skill
Skillv1.0.1
ClawScan security
MTG Wiki 万智牌全知识库 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 29, 2026, 8:01 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with a local Magic: The Gathering wiki/lookup assistant; it is instruction-only, asks only for python3, and directs use of local files and public APIs—no unexplained credentials or privileged actions.
- Guidance
- This skill is internally consistent for a local MTG wiki/lookup tool. Before installing or running anything: (1) be aware the published skill is instruction-only and does not include the claimed 187‑page wiki and 37k card DB — the SKILL.md directs you to git clone a third‑party GitHub repo to get that data and scripts; review that repository and its build scripts (e.g., build_indices.py) before running them. (2) The agent may try to run python3 scripts if you provide the repo; ensure you trust the code and run it in a controlled environment. (3) The skill calls public APIs (mtgch, Scryfall); these are normal but may expose query data to those services — if you need fully offline operation, obtain and verify the local database first. (4) No credentials or elevated system permissions are requested by the skill itself. If you want higher assurance, ask the author for a release tarball or inspect the GitHub repo contents before cloning and executing.
Review Dimensions
- Purpose & Capability
- okName/description (MTG rule/card/wiki queries) match the declared requirements and instructions: it only needs python3 to run local search/translation scripts and to consult local wiki/raw rule files and public APIs (mtgch, Scryfall). No unrelated binaries or secrets are requested.
- Instruction Scope
- noteSKILL.md explicitly instructs the agent to read files under the skill's repo (wiki/, raw/) and to run python scripts (card_search.py, rule_search.py, name_translator.py). It also recommends cloning a GitHub repo to obtain the full dataset. This is within the stated purpose, but the skill expects a local dataset that is not bundled with the skill — the agent/user must fetch and run code from a third‑party repo for full functionality.
- Install Mechanism
- okThere is no automated install spec; the README suggests cloning a GitHub repository (a well-known host). Because nothing is installed automatically by the skill, risk is lower. Users should still review the external repo before running its build scripts.
- Credentials
- okThe skill requests no environment variables, credentials, or special config paths. It mentions public APIs (mtgch, Scryfall) but does not require API keys or secrets — proportional to the described functionality.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; there is no indication it modifies other skills or system-wide configuration. It will operate only when invoked and only uses local files or public web APIs per its instructions.