Back to skill
Skillv1.0.0
ClawScan security
womens-day-support · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 6, 2026, 2:57 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (providing Women's Day resources) is reasonable and non-malicious, but the shipped code and runtime instructions don't line up: missing command handlers, naming/typo bugs, and feature mismatches mean the package is inconsistent and should be fixed or clarified before use.
- Guidance
- This skill does not show malicious behavior, but it is inconsistent and incomplete. Before installing or enabling it: 1) ask the author for the correct entry point/command API (SKILL.md and test.js reference handleCommand, but the module exports womensDaySupport); 2) request fixes for obvious bugs (e.g., 'carealSupport' typo and the missing command parsing), and a clear README mapping commands to code; 3) run the included test.js locally to confirm behavior and check that features promised in SKILL.md are implemented; 4) verify the source/author and provenance (there is no homepage and owner ID is opaque). If you need reliable support features (hotlines, emergency help), prefer well-maintained, audited resources until this skill is fixed.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the content in the JavaScript files (quotes, hotlines, local resources). However the implemented code is minimal and does not implement several features promised in SKILL.md/README (event finder, business lookup, command parsing). The delivered code appears intended for the stated purpose but is incomplete.
- Instruction Scope
- concernSKILL.md documents slash-style commands and behavior (e.g., '/womensday resources', handling location config). The provided code does not implement a command handler: test.js calls handleCommand (which does not exist in womens-day-support.js) and the module exports womensDaySupport, not a command-processing API. SKILL.md promises features (event finder, businesses, scheduling check-ins) that are not implemented. This is a functional/instructional mismatch that will cause runtime failures or undefined behavior.
- Install Mechanism
- okNo install script or external downloads are declared. package.json is local and there are only local JS files. No suspicious external install sources or archive downloads are present.
- Credentials
- okThe skill requests no environment variables, no credentials, and the code does not access environment secrets or external credentials. This is proportionate to the stated functionality.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent system-level privileges or modify other skills. It does not perform installation steps or persist credentials.