Back to skill
Skillv1.0.0
ClawScan security
NSFC Grant Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 12:10 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required resources are consistent with a local NSFC application writing/format-check helper and do not request unrelated credentials or install arbitrary code.
- Guidance
- This skill appears coherent and low-risk: it includes only local, simple shell scripts and prose to help you prepare NSFC applications and does not request credentials or download code. Before using: (1) remember you will be sharing your research text with the assistant — the README's promise of confidentiality is not enforced by the scripts; if you use a hosted agent, your data may be logged or transmitted by that platform, so review the host's privacy policy; (2) the scripts are interactive CLI tools — if the agent runs in a non-interactive sandbox they may not function as intended; (3) the skill will not itself upload PDFs or accept files automatically — when the scripts ask whether you uploaded files, that is a user prompt, not an automated transfer; (4) if you have strict confidentiality requirements, run the scripts and all interactions locally on your own machine rather than a hosted service. Minor metadata/version inconsistencies exist (SKILL.md shows 1.0.1 while registry shows 1.0.0) but are not security-critical.
Review Dimensions
- Purpose & Capability
- okName/description (NSFC grant-writing assistant) match the included assets: SKILL.md guidance plus four small shell scripts that run local checks. The scripts and prose implement the stated features (abstract/logic/format/representative-work checks) and do not request unrelated cloud credentials or external services.
- Instruction Scope
- noteSKILL.md and README instruct the assistant to ask for user project content and run bundled interactive shell checks. The scripts only prompt for user input, run local text checks (wc/grep/read), and summarize results. Minor caveats: the README and SKILL.md assert '保密' (your data won't be leaked) and say PDFs should be uploaded, but there is no implementation to accept/upload files — confidentiality is a claim, not an enforced property of the skill. Also the scripts are interactive CLI tools and may not behave as intended in non-interactive or sandboxed agent runtimes.
- Install Mechanism
- okThere is no install spec and no external downloads; the skill is instruction-first with small included shell scripts. No network fetches or archive extractions are present in the codebase.
- Credentials
- okThe skill requests no environment variables, binaries, or credentials. That aligns with its purpose. Note: the skill will require you to supply potentially sensitive research text during use; the skill itself does not store or transmit that data, but the broader agent/platform may — the skill does not provide guarantees beyond a README statement of '保密'.
- Persistence & Privilege
- okFlags show no forced persistence (always: false). The skill does not modify other skills or request elevated privileges.