Skillv0.1.0

ClawScan security

temporal-python-testing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 15, 2026, 6:12 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only guide for testing Temporal Python workflows and its requirements and instructions are consistent with that purpose, but it includes examples that perform sensitive operations (exporting production workflow histories) and a few example-code rough edges that you should review before running.
Guidance: This is a coherent, instruction-only guide for testing Temporal Python workflows. Before using it: 1) Review any example scripts (especially scripts/export_histories.py and CI examples) — they show connecting to a production Temporal endpoint and exporting workflow histories, which can contain sensitive data; only run these if you have explicit permission and proper credentials. 2) Do not run examples that target production from an untrusted environment; secure exported .pb files and logs. 3) The documents contain small example bugs/typos (e.g., missing imports like 'workflow' in health_check.py, a truncated CI cleanup command), so treat the code as examples to adapt rather than copy-paste. 4) Verify Docker images and dependencies come from official sources (e.g., temporalio/*, postgres) before pulling. If you need higher assurance, request the author/source repository or a signed release before running scripts that interact with production.

Purpose & Capability: okName/description (Temporal Python testing) match the provided instructions and resource files: unit, integration, replay, and local setup guidance. Examples and CI patterns are coherent with testing and replay use-cases.
Instruction Scope: noteInstructions include legitimately sensitive operations for replay testing: connecting to a production Temporal endpoint and exporting workflow histories. Those steps are within the stated purpose (replay/determinism testing) but they entail handling potentially sensitive data and require production access — the guide doesn't provide or request credentials, so users must supply and protect them.
Install Mechanism: okInstruction-only skill with no install spec and no code files to be written or installed by the platform. Lowest-risk install profile.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent for an instructional guide. However example scripts connect to 'production.temporal.io:7233' and call client.list_workflows / fetch_history; those operations require production access/credentials in practice. The absence of declared creds is not malicious but users should be aware they must provide appropriate credentials and guard exported history files.
Persistence & Privilege: okalways is false, no install actions, and the skill does not request persistent privileges or try to modify other skills or system-wide settings.