Skillv1.0.0

ClawScan security

Piadas Reddit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 10:30 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions are consistent with its stated purpose (fetching recent clean jokes from r/tiodopave) and it does not request credentials or install external code, though there are minor inconsistencies between the provided scripts that you should review before use.
Guidance: This skill appears to do what it says: fetch jokes from r/tiodopave, filter them, and avoid repeats, and it requires no credentials. Before installing, verify which script will be executed by the agent (SKILL.md points to index.mjs). If you want consistent behavior, remove or update get_joke.sh (it lacks score and NSFW filters and won't update the last-joke file). Note that the Node script uses simple keyword-based NSFW filtering which can produce false positives/negatives; review or tighten the filter if that matters. Finally, although no secrets are requested and there are no external installs, the source/homepage is unknown — if you need a stronger trust signal, ask the publisher for a repo or homepage to audit history and updates.

Review Dimensions

Purpose & Capability: okName/description (fetch clean, recent jokes from r/tiodopave) matches the included code: index.mjs fetches Reddit JSON, filters by score >=5, removes NSFW by keywords, and avoids repeating the last joke. No unrelated credentials, binaries, or external services are requested.
Instruction Scope: noteSKILL.md instructs running the Node script (index.mjs), which implements the described rules. However an additional script (get_joke.sh) is included but not referenced by SKILL.md; that shell script fetches Reddit JSON and uses an embedded Python parser but does not apply the score>5 or NSFW filtering and does not update the /tmp/last-joke.txt file. This difference can lead to inconsistent behavior if the alternative script is executed instead of the Node script.
Install Mechanism: okNo install spec; instruction-only with two lightweight code files. No downloads, package installs, or archive extraction — minimal surface for supply-chain risk.
Credentials: okNo environment variables or credentials are requested. The scripts perform HTTP GET requests to reddit.com only and read/write only to temporary files (/tmp/reddit_tiodopave.json, /tmp/last-joke.txt). This is proportionate to the skill's purpose.
Persistence & Privilege: okSkill does not request always:true and does not modify other skills or system-wide settings. It writes a small state file in /tmp to avoid repeats, which is reasonable for its function.