Back to skill
Skillv0.1.0
ClawScan security
Minecraft Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 12:43 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent: it contains a small Python script that queries Minecraft servers using the Server List Ping protocol and the SKILL.md only instructs running that script — no unrelated credentials, installs, or external endpoints are requested.
- Guidance
- This skill appears to do exactly what it says: it opens a TCP connection to the target Minecraft server and parses the status response. Before installing/using it, consider: (1) the script will make outbound network connections to whichever host you provide — only query servers you have permission to probe; (2) the code runs locally as a Python script from the skill workspace, so if you are uncomfortable run it in a sandbox or review the script (it's short and straightforward); (3) the skill does not require secrets or external downloads. If you plan to run it periodically, ensure your monitoring policy permits network probes and cron jobs.
Review Dimensions
- Purpose & Capability
- okThe name/description (Minecraft server monitoring) match the included Python script and usage examples. All required behavior (online check, ping, players, MOTD, version) is implemented by the script; there are no unrelated dependencies or permissions requested.
- Instruction Scope
- okSKILL.md simply instructs the agent/user to run the bundled script from the skill workspace path with host[:port] and optional timeout. The instructions do not ask the agent to read unrelated files, environment variables, or send data to third-party endpoints.
- Install Mechanism
- okNo install spec or external downloads. The skill is instruction-only with a provided script — nothing is fetched or written to disk beyond the skill bundle itself.
- Credentials
- okNo environment variables, credentials, or config paths are requested. The script makes outbound TCP connections only to the target server(s) provided by the user, which is proportional to the stated purpose.
- Persistence & Privilege
- okalways is false, autonomous invocation is allowed (platform default) and appropriate for a user-invocable monitoring skill. The skill does not attempt to modify other skills or persistent system-wide settings.