Back to skill
Skillv0.1.0
ClawScan security
gamma-phase-associator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 14, 2026, 8:20 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only documentation skill for the GaMMA earthquake phase association Python library; its stated purpose matches the content and it doesn't request credentials or unusual system access—main residual risk is installing a third-party GitHub package if you follow the included pip instruction.
- Guidance
- This skill is documentation-only and internally consistent. If you plan to use it, review the GitHub repository it points to (https://github.com/wayneweiqiang/GaMMA) before running the pip install command—installing from a repo can execute arbitrary code during installation. Prefer installing from an official PyPI release or a well-known project fork, inspect the repository for malicious install hooks, and perform installation inside a virtual environment or container. Because the skill does not request credentials, avoid supplying any unrelated secrets when experimenting.
Review Dimensions
- Purpose & Capability
- okThe skill name/description match the SKILL.md content: it's documentation for the GaMMA associator library and explains inputs, config keys, and API. Nothing requested or required is disproportionate to documenting or using that library.
- Instruction Scope
- okSKILL.md is documentation and API reference. It does not instruct the agent to read unrelated files, environment variables, or system paths, nor to transmit data to unexpected endpoints. The only actionable instruction is an example pip install command for the library.
- Install Mechanism
- noteNo formal install spec in the skill bundle; SKILL.md recommends 'pip install git+https://github.com/wayneweiqiang/GaMMA.git'. Installing directly from a public GitHub repo is common and traceable, but it does run code from that repo during install (setup/pyproject hooks). This is moderate-risk if you blindly run it; prefer audited releases or PyPI packages.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. There are no requests for unrelated secrets or system credentials in the documentation.
- Persistence & Privilege
- okSkill is user-invocable and not always-enabled. Autonomous model invocation is allowed (platform default) but the skill itself does not request elevated persistence or modify other skills or system settings.