Skillv1.0.1

ClawScan security

Social Security Fund · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 11:05 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose: local calculators and simulated query helpers for Chinese social security and housing fund; there are no unexplained credentials, network endpoints, or install steps.
Guidance: This skill appears coherent and local: it runs included Python scripts to produce simulated social-security and housing-fund data and perform calculations. Before installing or running: (1) review the scripts yourself (they are small and readable) if the source is unknown; (2) do not pass real ID numbers, account passwords, or login credentials on the command line to untrusted code (command-line args can be visible to other users); (3) be aware requirements.txt includes web-scraping libraries — if later modified to perform real queries, the code could contact official sites and might need credentials (avoid providing them here unless you trust the maintainer); (4) the tool currently uses simulated data and does not persist or exfiltrate data, but confirm there are no network calls if you require offline-only behavior.

Review Dimensions

Purpose & Capability: okName/description align with provided scripts: calculators (calculate.py, pension_estimate.py), simulated query helpers (query_social_security.py, query_fund.py) and a wrapper (check_deals.py). Required env vars/binaries/configs are none, which is consistent with a local, offline tool.
Instruction Scope: noteSKILL.md instructs running the included local Python scripts and shows optional ID/account arguments used only to generate simulated results. The scripts do not read unrelated system files or environment variables. Warning: supplying sensitive values (身份证号, 公积金账号) on the command line may expose them to other local users via process listings; the README/SKILL.md claims sensitive data is not stored or uploaded — current code does not persist or transmit such data.
Install Mechanism: okNo install spec; it's an instruction-only skill with a requirements.txt referencing requests and beautifulsoup4. That is reasonable given potential optional web scraping, though the shipped scripts currently do not perform network requests. Installing requirements (pip) is the only installation step and is proportionate.
Credentials: okThe skill requests no environment variables or credentials. It accepts user-supplied ID/account values as CLI args (used locally to generate simulated outputs). This is proportionate to the stated functionality, but users should avoid passing real credentials or sensitive tokens to unverified code.
Persistence & Privilege: okSkill does not request persistent presence, does not modify other skills, and does not write configuration. SKILL.md mentions an optional cache file path in the file tree, but shipped scripts do not create or write cache files.