Back to skill
Skillv1.0.0
ClawScan security
Check Workday CN · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 6:07 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it runs a small Python script that fetches holiday JSON from jsDelivr and determines workday status; it requests no credentials, makes no unexpected file or system access, and has no install step.
- Guidance
- This skill appears safe and does exactly what it claims: fetch holiday JSON from jsDelivr and compute whether a date is a workday. Before installing, consider whether you trust the external data source (jsDelivr/GitHub content). For higher assurance, you can: run the included script locally to inspect behavior; pin the URL to a specific commit or mirror the yearly JSON into a trusted location; or run without network access by supplying local data. No credentials are required and the script does not access other files or services.
Review Dimensions
- Purpose & Capability
- okName/description match the code and instructions. The script only needs to fetch yearly holiday JSON and compute workday logic; there are no unrelated requirements (no credentials, no unrelated binaries).
- Instruction Scope
- okSKILL.md and the script are narrowly scoped: they fetch JSON from https://cdn.jsdelivr.net/gh/NateScarlet/holiday-cn@master/{year}.json, apply holiday/makeup-workday rules, and print a small result. The instructions do not read other files, access extra env vars, or transmit data to unknown endpoints. Note: the skill requires outbound HTTP access to the jsDelivr CDN.
- Install Mechanism
- okThere is no install spec (instruction-only usage) and included code is a simple Python script. No downloads or archive extraction are performed by an installer. Risk from installation is minimal.
- Credentials
- okThe skill requests no environment variables or credentials. The only external dependency is network access to a public CDN to fetch holiday data, which is proportionate to the stated purpose.
- Persistence & Privilege
- okalways is false, the skill does not request persistent presence or modify other skills/system settings. It only prints results; it does not store secrets or alter agent configuration.