Skillv1.0.1

ClawScan security

Gardening Calendar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 2, 2026, 1:58 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are benign-looking, but important claims in the description (160+ plants; regional adaptation) are not implemented in the bundled files, so the package is internally inconsistent.
Guidance: This package is not malicious but is internally inconsistent: it advertises 160+ plants and regional adaptation but only ships 3 plant records and the logic does not apply region-specific rules. If you need the advertised functionality, ask the publisher for the full plant dataset and for code that accepts a region parameter and applies region-specific windows. It's safe from a credential/exfiltration perspective (no env vars, no network calls), but do not assume the skill provides comprehensive regional advice until the missing data/logic are added. If you plan to rely on it for critical gardening decisions, verify outputs against a trusted source or wait for the complete dataset and region-aware implementation.

Review Dimensions

Purpose & Capability: concernThe skill's description claims a database of 160+ plants and regional adaptation for UK/US/Thailand/Australia, but the bundled reference data contains only 3 plants (tomato, carrot, lettuce) and the plant records have no region-specific fields. The logic file exposes REGIONS but does not accept or apply a region parameter when computing sow/harvest windows. This mismatch means the delivered capability does not match the advertised purpose.
Instruction Scope: noteSKILL.md limits runtime behavior to checking the current month and user's location and using scripts/calendar-logic.ts. It does not instruct any network calls, file system reads beyond the bundled files, or credential use. However it references 'references/plant-database.md' as a resource (marked 'Coming Soon') which is not present; the instructions also promise regional adaptation that the code does not implement.
Install Mechanism: okNo install spec and only small TypeScript files are bundled. Nothing is downloaded or written to disk at install time; no third-party packages or external install sources are used.
Credentials: okThe skill declares no required environment variables, no credentials, and no config paths. The code does not access environment variables or external services.
Persistence & Privilege: okalways is false and the skill is user-invocable. The skill does not request persistent/system-wide privileges or attempt to modify other skills or agent configuration.