Skillv0.1.0

ClawScan security

civ6lib · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 13, 2026, 3:25 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and documentation largely match its stated purpose (Civ6 district rules), but there are small but meaningful inconsistencies in packaging and instructions that make its runtime behavior unclear — review before installing or running.
Guidance: This package appears to implement Civ6 adjacency and placement rules and does not request secrets or network access, but there are coherence issues you should consider before running it: (1) The documentation shows importing `civ6lib` but only scripts/ files are included — you may need to package or adjust imports before use. (2) SKILL.md references other import paths/skills (src.hex_utils, hex-grid-spatial) that don't match the provided files. (3) Several source files in the bundle are truncated in the metadata you were given and there are small-looking code issues (e.g., incomplete f-string in a truncated function), which suggests the copy may be incomplete or untested. Recommended actions: review the full source locally, run unit tests in a sandboxed environment, and only use the code after fixing import/packaging issues and confirming there are no hidden network calls or dynamic code execution. If you lack the ability to audit Python code, avoid running it in production environments or give it network/privileged access.

Review Dimensions

Purpose & Capability: noteName/description, SKILL.md, and the included Python modules all focus on Civ6 district placement and adjacency rules, which is coherent. However, SKILL.md shows usage like `from civ6lib import ...` but the bundle only contains scripts/ files (no civ6lib package __init__ or top-level module). SKILL.md also references importing from `src.hex_utils` or using a different skill (`hex-grid-spatial`), while the code imports `hex_utils` directly. These packaging/import mismatches mean the code may not be directly importable as documented.
Instruction Scope: okThe SKILL.md usage and the code operate entirely on provided tile/placement data and local functions. There are no instructions to read arbitrary host files, access environment variables, or send data to external endpoints.
Install Mechanism: noteNo install spec is provided (instruction-only), which is low risk, but the bundle includes multiple Python scripts. Because there's no installation guidance, it's unclear how the agent/user is expected to import or run these scripts (packaging gap). This is a functional incoherence rather than a direct security issue.
Credentials: okThe skill declares no required environment variables, credentials, or config paths, and the code does not reference external secrets. No credential or environment access appears necessary for the stated purpose.
Persistence & Privilege: okThe skill does not request always-on presence (always: false). It does not attempt to modify system or other skills' configurations. Autonomous invocation is allowed by default but is not combined with other concerning privileges here.