Back to skill
Skillv1.0.0
ClawScan security
Greeting Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 8:24 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This skill's code and runtime instructions match its stated purpose (simple, local greeting generation) and it does not request extra credentials, network access, or unusual installs.
- Guidance
- This skill appears internally consistent and minimal: it's just local greeting logic. If you plan to install it, verify the publisher (orlyjamie) and the @openclaw/core dependency from your package registry, and review build/run steps before executing untrusted code. No credentials or network access are requested, so the main remaining risk is running third-party code—only install from sources you trust.
Review Dimensions
- Purpose & Capability
- okName/description (friendly, time-based greetings) align with the code and SKILL.md. The files implement two greeting tools and nothing else; no unrelated credentials, binaries, or paths are requested.
- Instruction Scope
- okSKILL.md only documents greeting and time-based greeting tools and parameters. It does not instruct the agent to read files, access environment variables, call external endpoints, or collect extra context.
- Install Mechanism
- okThere is no install spec; this is an instruction+source package. package.json lists @openclaw/core as a dependency and TypeScript dev deps, which is expected for a skill implemented in TypeScript. No suspicious downloads or extract operations are present.
- Credentials
- okThe skill declares no required environment variables or credentials. The code does not access process.env or other sensitive configuration.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent system presence or modify other skills' configs. Autonomous invocation remains possible (platform default) but is not combined with other red flags here.