Skillv1.0.2

ClawScan security

vinci-tarot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 2:40 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements match a tarot-reading tool: it needs python3, uses local card data and optional card-image downloads, and does not request unrelated credentials or hidden network endpoints.
Guidance: This skill appears to do what it says: a local Python tarot reader that can generate spread images. Things to consider before installing: (1) it will execute Python code from the skill package (perform_reading and image scripts), so only install if you trust the skill source; (2) on first image-generation run it may perform network requests to https://www.sacred-texts.com to download card art and will write images into a local cards/ directory — if you prefer no network activity, pre-populate cards/ with 78 images or run image generation with --images-dir pointing to an offline folder; (3) follow INSTALL.md steps (pip install Pillow) in a virtualenv to avoid affecting system packages; (4) no credentials are requested and there are no obvious hidden endpoints, but if you want extra safety run the code in a sandboxed environment and review the short Python scripts (generate_spread_image and download_card_images) yourself.

Review Dimensions

Purpose & Capability: okName/description (tarot reader) align with the provided Python package: perform_reading, interpret_card, spread layouts, and data/cards.json. Required binary is only python3 and the included files implement the claimed features (spreads, card meanings, image generation). There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: noteSKILL.md tightly prescribes runtime behavior (clarify question → announce draw → call perform_reading → generate image → send image → interpret). That scope is appropriate for a tarot skill, but the instructions require executing local Python modules and running the generate_spread_image script which will load data/cards.json and may fetch card images from the web if local images are missing. The skill does not instruct reading unrelated system files or secrets.
Install Mechanism: noteThere is no install spec (instruction-only), so nothing is auto-downloaded by the registry. The code includes a small requirements.txt (Pillow) and image-generation scripts. The generate_spread_image and download_card_images scripts will fetch images from a public host (IMAGE_ROOT = https://www.sacred-texts.com/tarot/pkt/img/) if local images are missing. Those network fetches are expected for image assets and come from a known host, not from an arbitrary shortener or personal server.
Credentials: okThe skill declares no required environment variables or credentials. The code only uses PYTHONPATH for subprocess calls and does not request tokens, keys, or unrelated secrets.
Persistence & Privilege: okFlags show normal privileges (always:false). The package may write card images to a local cards/ directory when downloading assets; that is proportional to its function and scoped to its own files. It does not modify other skills or system-wide configuration.