Skillv1.1.0

ClawScan security

vRain 古籍电子书制作 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 22, 2026, 10:57 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper that expects a locally installed vRain Perl tool and does not request extra credentials, unusual system access, or remote installs — it appears to do what it claims.
Guidance: This skill appears coherent and limited in scope, but you should still exercise normal caution before running code from the network: 1) Review the GitHub repository (https://github.com/shanleiguang/vRain) before cloning — inspect vrain.pl and any helper scripts for unexpected network calls or actions. 2) Avoid running commands with sudo unless necessary; prefer installing Perl modules for your user or inside a virtual environment. 3) Consider running the tool in an isolated environment/container if you are unsure. 4) Verify font files’ licensing before distributing output that embeds them. 5) Make sure your book text does not contain sensitive information you wouldn't want processed by a locally executed tool. If you want higher assurance, ask for the vrain.pl source to be reviewed or run it in a sandbox first.

Review Dimensions

Purpose & Capability: okName/description claim (convert Chinese plaintext/Markdown to 古籍-style PDF via vRain) matches the instructions: the SKILL.md documents how to clone the vRain repo, install Perl deps, prepare fonts/canvas, and run vrain.pl. No unrelated services, credentials, or binaries are requested.
Instruction Scope: okInstructions are narrowly scoped to preparing the vRain repository, installing Perl modules (cpanm/cpan), placing fonts/backgrounds, and running local perl scripts. They do not instruct reading unrelated system files, exfiltrating data, or contacting unexpected endpoints beyond the GitHub repo URL used to obtain the tool.
Install Mechanism: okThere is no packaged install spec in the skill; the SKILL.md tells the user to git clone a GitHub repository and install Perl modules via cpanm/cpan. Using a GitHub repo and CPAN is a standard, low-risk approach for an instruction-only skill; no arbitrary binary downloads or extracted archives from unknown hosts are prescribed by the skill itself.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The requested operations (filesystem under ~/GitHub/vRain and installing Perl modules) are proportional to the stated purpose.
Persistence & Privilege: okSkill does not request permanent/always-on presence (always: false). It is user-invocable and can be invoked by the agent normally; nothing in the skill tries to modify other skills or system-wide agent settings.