Skillv1.0.0

ClawScan security

Hainan Cost Index · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 5, 2026, 12:57 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do what it claims (local cost-index lookup and estimation) and only uses included reference data and a local Python script; no secrets, network access, or unusual installs are requested.
Guidance: This skill is internally coherent: it uses a bundled JSON database and a Python estimator to provide cost-index queries and investment estimates, and it does not request secrets or perform network activity. Before installing, consider: 1) verify the data source — SKILL.md cites an official 2024 Hainan publication but the package 'Source' is unknown and no homepage is provided; confirm you trust the data for important decisions; 2) SKILL.md references two additional reference files (cost-index-summary.json, project-categories.md) that are not included — expect reduced functionality or missing details if those files were intended; 3) the Python script runs locally (requires Python 3) — ensure your environment can run it and review the script if you will execute it locally; 4) the manifest version mismatch is a minor packaging issue. If you need this for formal decisions, validate the underlying publication or consult a licensed cost consultant.

Review Dimensions

Purpose & Capability: okName/description match the included assets: a local JSON database of cases, adjustment coefficients, and a Python estimator. The code and SKILL.md are consistent with a cost-index/estimation skill. Minor metadata mismatch: manifest.json version is 1.0.1 while registry metadata lists 1.0.0 (likely a packaging/versioning oversight).
Instruction Scope: noteSKILL.md directs the agent to read local reference files (references/hainan-cost-database.json) which exist and are included. However SKILL.md also mentions references/cost-index-summary.json and references/project-categories.md which are not present in the provided file manifest — this is an inconsistency that may lead to missing information at runtime but is not a security concern. No instructions ask for external endpoints, system credentials, or unrelated system files.
Install Mechanism: okNo install spec (instruction-only). A Python script (scripts/cost_estimator.py) is included but there is no automatic download or external install step. No network downloads, URL fetches, or archive extraction are present.
Credentials: okThe skill declares no required environment variables, no credentials, and the code does not read environment variables or network endpoints. All data access is to local files bundled with the skill.
Persistence & Privilege: okalways is false and there's no behavior that modifies other skills or system-wide settings. Agent autonomous invocation is allowed (platform default) but this is normal and not, by itself, a concern.