Skillv1.0.0

ClawScan security

Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 14, 2026, 4:31 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill matches its stated purpose (a calculator) but the included Python evaluator uses compile()/eval in a way that's insufficiently sandboxed and could be exploited to run arbitrary code, so proceed with caution.
Guidance: This skill is coherent with its description, but the bundled Python evaluator uses compile()/eval with only a name whitelist — that protection is insufficient against certain sandbox-escape expressions (attribute/constructor chains can execute arbitrary code without introducing new names). If you plan to install or run this skill, consider: 1) Only evaluate expressions you trust (do not accept untrusted input). 2) Run the skill in a restricted environment (container, VM) if it will process user-provided expressions. 3) Prefer a patched version that avoids eval (use a safe parser/evaluator like a restricted AST evaluator, asteval, sympy.parsing, or explicit AST whitelisting of node types). 4) If you want the agent to never run this autonomously, disable autonomous invocation for the skill (set disable-model-invocation) or avoid granting it automatic invocation. If you want, I can suggest concrete safe replacements/patterns for expression evaluation or a minimal hardening patch for this script.
Findings: [use-of-eval] expected: Using eval is expected for an expression evaluator, but it is risky. The usage in scripts/calculator.py attempts to limit names, yet this pattern is a known source of sandbox bypasses and should be hardened or replaced with a safe expression parser.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md usage, and the provided scripts/calculator.py are coherent: the code implements expression evaluation and unit conversions described by the skill.
Instruction Scope: concernSKILL.md instructs the agent to run scripts/calculator.py with user-supplied expressions. The script evaluates expressions via compile() + eval() with a restricted names dict, but that sandboxing is incomplete: attribute- and object-based sandbox escapes (which do not introduce new names) can be used to execute arbitrary Python code. The instructions therefore enable execution of potentially unsafe input on the host where the skill runs.
Install Mechanism: okNo install spec; this is instruction-only plus a bundled Python script. Nothing is downloaded or installed automatically, which minimizes install-time risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Those requirements are proportionate to a local calculator utility.
Persistence & Privilege: okalways is false, no elevated or persistent installation behavior is requested. The skill does not modify other skills or global agent config.