Skillv1.0.0

ClawScan security

Matplotlib Chinese Font · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 2:25 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is coherent with its stated purpose — small local helper scripts and documentation to configure and test Chinese fonts for matplotlib — but exercise the usual caution when deleting cache or writing files.
Guidance: This skill appears to do what it says: list fonts, clear matplotlib's font cache, and render a test image. Before running: (1) prefer using the included clear_cache.py (it uses matplotlib.get_cachedir()) rather than blindly running rm -rf ~/.matplotlib; (2) be aware test_font.py saves to /tmp by default and may overwrite files — provide a different path if needed; (3) review the small scripts locally (they contain no network calls or credential usage); and (4) because the package origin is unknown, run in a controlled environment (virtualenv/isolated account) if you want extra caution.

Purpose & Capability: okName/description match the included files and instructions: SKILL.md plus three utility scripts (clear_cache, list_fonts, test_font) all relate to discovering, testing, and clearing matplotlib font state. There are no unrelated binaries, credentials, or install steps requested.
Instruction Scope: noteInstructions stay within the task (listing fonts, forcing font settings, clearing font cache, testing rendering). Two points to note: the docs suggest rm -rf ~/.matplotlib (which is a destructive command that will remove that directory) while the clear_cache.py script uses matplotlib.get_cachedir() (safer and more accurate). test_font.py writes files to /tmp by default (may overwrite existing files). These behaviors are reasonable for this purpose but deserve user attention before running.
Install Mechanism: okNo install specification — instruction-only with small local scripts. Nothing is downloaded or extracted from external URLs; no high-risk install behavior is present.
Credentials: okNo environment variables, credentials, or config paths are required. Scripts operate on local matplotlib state and system fonts only.
Persistence & Privilege: okSkill is not forced-always and does not request persistent or elevated privileges. It does not modify other skills or system-wide agent settings.