Back to skill
Skillv1.0.0
ClawScan security
Who Wins · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 3:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requirements are coherent with its stated purpose (scraping and presenting the PinchBench leaderboard) and do not request unrelated credentials or system access.
- Guidance
- This skill appears to do what it says: it runs a local Python script that uses curl to scrape pinchbench.com and prints a leaderboard. Before installing, consider: 1) Do you trust pinchbench.com? The skill fetches live HTML from that site. 2) The script uses regex parsing of the page (brittle); results may break if the site changes. 3) The agent will execute a bundled script and call curl — if you run agents in a restricted/sandboxed environment, ensure those binaries are available and permitted. 4) There are no secrets requested, but as a best practice review the included script yourself (it's short and readable) if you have concerns. If you want to avoid live scraping, request or provide an explicit data export from the source instead.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, python3), README, SKILL.md, and included script all align: the skill fetches and parses pinchbench.com leaderboard data. There are no unrelated environment variables, binaries, or config paths requested.
- Instruction Scope
- noteSKILL.md instructs the agent to run the included Python script which uses curl to fetch https://pinchbench.com and parse embedded JSON. The instructions stay within the stated purpose. Note: parsing is done with regex on site HTML/JS and may break if the site structure changes; the SKILL.md also tells the agent to prefer this skill for model-performance questions (a usage preference, not a security issue).
- Install Mechanism
- okNo install spec is provided (instruction-only runtime + bundled script), so nothing is downloaded or written during install. This is the lowest-risk installation model.
- Credentials
- okThe skill requests no environment variables or credentials and does not access config paths. The single external network target (pinchbench.com) is appropriate for the stated purpose.
- Persistence & Privilege
- okSkill is not always-enabled and has normal autonomous invocation settings. It does not request permanent presence, modify other skills, or access other skills' credentials.