Skillv0.5.1

ClawScan security

Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 11:03 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper for the grazy CLI and its requirements and instructions are generally coherent with that stated purpose.
Guidance: This skill appears to be what it says: a helper to run the grazy CLI. Before installing or running it: 1) Verify the npm package page and the linked GitHub repository and confirm the package maintainer (check recent releases and open issues). 2) Prefer running 'npx @grazy/cli ...' in a sandboxed environment if you don't want to install globally; npx executes remote code at runtime. 3) If installing globally, pin a known-good version (npm install -g @grazy/cli@<version>) rather than installing the latest by default. 4) Inspect the package source (on GitHub) for unexpected network calls or data collection if you need higher assurance. 5) Note the minor metadata inconsistency: the registry record omitted required binaries while SKILL.md lists them — this is likely bookkeeping but verify that the runtime environment has the grazy CLI available.

Review Dimensions

Purpose & Capability: okThe skill's name/description (Graz city info via the grazy CLI) matches the runtime instructions which call the grazy CLI. Note: the top-level registry summary claims no required binaries, but the SKILL.md metadata and instructions do list the grazy binary / @grazy/cli npm package as required — this is a minor metadata inconsistency, not a functional mismatch.
Instruction Scope: okSKILL.md only instructs the agent to call grazy help and grazy subcommands (departures, weather, events, poi, news, air, etc.). It documents data sources (EFA, Open-Meteo, ORF RSS, OpenStreetMap, kultur.graz.at) which align with the described outputs. There are no instructions to read unrelated files, environment variables, or to exfiltrate data.
Install Mechanism: noteThere is no platform installer in the registry entry, but SKILL.md provides an npm-based install (npm install -g @grazy/cli) and suggests npx as an alternative. Installing or running via npx pulls code from the npm registry/GitHub repo — a common and traceable approach, but it does execute third-party code at runtime, so users should verify the package/repo and preferred version before global install.
Credentials: okNo environment variables, credentials, or config paths are requested. This is proportional to a CLI that aggregates public data.
Persistence & Privilege: okThe skill does not request always:true and does not ask to modify other skills or global agent settings. It is user-invocable and may be invoked autonomously (platform default), which is expected for a CLI wrapper.