Skillv0.1.0

ClawScan security

Cold Chain Risk Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 13, 2026, 9:28 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The code is a small, local risk calculator and mostly matches the stated purpose, but the SKILL.md claims file I/O and other features that the shipped script does not implement — an inconsistency worth verifying before install.
Guidance: The included Python script is simple and appears safe: it computes and prints a risk score from the provided arguments and does not access network or files. However, SKILL.md claims file I/O, temperature monitoring, and packaging optimization that are not implemented in the code. Before installing or allowing autonomous runs: (1) inspect any future or remote versions for added file or network behavior, (2) run the script in a sandboxed environment to confirm actual behavior, (3) ask the publisher to reconcile SKILL.md with the code or provide missing modules, and (4) if you expect file input/output or monitoring, require explicit evidence and a justification for those capabilities. These steps reduce risk from outdated or misleading documentation that could hide broader privileges.
Findings: [no-findings] expected: Static pre-scan found no suspicious patterns. Given the code is small and local, absence of findings is expected, but documentation/code mismatches remain a concern.

Purpose & Capability: noteName/description match the included Python script: the script computes a simple risk score from route, duration, and packaging. However, SKILL.md advertises features (packaging optimization, temperature monitoring) and file read/write behavior that are not present in scripts/main.py, suggesting the documentation is out of sync with the code.
Instruction Scope: concernSKILL.md states 'Read input files, write output files' and 'Temperature monitoring' but the runtime instructions and the included script only print results to stdout and do not access the filesystem or network. This mismatch could confuse users and conceal planned behaviors not present in the current code. Verify whether additional code (not included) or future versions will perform file or network operations.
Install Mechanism: okNo install spec and no external dependencies are declared; the script requires only a Python interpreter which is reasonable and low-risk for this purpose.
Credentials: okNo environment variables, credentials, or config paths are requested; that aligns with the tool's local calculation purpose and is proportionate.
Persistence & Privilege: okSkill does not request permanent presence (always:false) and has no install actions that would modify agent/system configuration. Default autonomous invocation is allowed, which is expected for skills.