Back to skill
Skillv1.0.0
ClawScan security
Cronexplain · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 27, 2026, 9:51 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and runtime instructions match its stated purpose (explaining cron expressions and computing next run times); it doesn't request credentials, network access, or installs, and the included Python scripts contain straightforward, readable logic.
- Guidance
- This skill appears internally consistent and low-risk: it includes a small Python script that parses cron expressions and prints human-friendly descriptions and next run times. Before installing, note that you need Python 3 available to run the script (SKILL.md uses 'python3' even though 'required binaries' metadata is empty). If you plan to let an agent execute it autonomously, confirm the agent has Python 3 and run the script in a restricted environment if you want extra caution. If you want to be thorough, you can open the included scripts (they are short and readable) and run them locally on sample cron expressions to verify behavior; the code does not perform network I/O or read/write system files or secrets.
Review Dimensions
- Purpose & Capability
- okName/description match the delivered artifacts: the repository contains a cron expression parser/explainer and a next-run calculator. There are no unrelated environment variables, binaries, or external services requested.
- Instruction Scope
- noteSKILL.md instructs running the included Python script (python3 scripts/cronexplain.py). The skill metadata lists 'zero dependencies' but does not declare 'python3' as a required binary — this is a minor inconsistency (practical requirement: Python 3 must be available to run the script). The instructions do not ask the agent to read unrelated files, access environment variables, or transmit data externally.
- Install Mechanism
- okNo install spec / no downloads. This is an instruction-only skill that ships its Python files with the skill bundle. Nothing will be fetched from external URLs or written to system paths during install.
- Credentials
- okThe skill requests no environment variables, no credentials, and no config paths. The code does not access os.environ or other secrets. There is no indication of disproportionate credential or env access.
- Persistence & Privilege
- okalways is false and the skill does not attempt to modify other skills or system-wide configuration. It only prints explanations and computed run times when executed.