Skillv1.0.0

ClawScan security

龙虾玄学运势大师 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 26, 2026, 7:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only horoscope/fortune-telling skill that is internally consistent with its stated purpose and requests no extra privileges, installs, or credentials.
Guidance: This skill appears to be an entertainment/horoscope generator and is internally coherent. It requests no credentials, does not install software, and does not ask the agent to read or transmit files—so it poses minimal direct technical risk. Before installing, consider: (1) Content intent: it gives advice in fortune-telling form—if users might follow it for serious decisions, add a clear disclaimer that it is for entertainment only. (2) Privacy: the skill will produce outputs that may repeat user-supplied personal details if prompted; avoid entering sensitive personal data into prompts. (3) Invocation policy: autonomous invocation is allowed by default on the platform; if you do not want the skill to run without explicit user consent, restrict its invocation settings. Otherwise this skill is proportionate to its stated purpose.
Findings: [regex-scanner-no-findings] expected: The repository is instruction-only (SKILL.md) with no executable code; the regex-based scanner had nothing to analyze. This is expected for a prose-only fortune-telling skill. evals/evals.json is present and only contains example prompts/expectations.

Purpose & Capability: okThe name/description (a humorous lobster fortune-teller) matches the SKILL.md instructions: generate daily fortunes, signatures, and snarky advice. There are no unrelated requirements (no binaries, env vars, or config paths).
Instruction Scope: okThe SKILL.md confines the agent to producing text-based fortune outputs using current date/weekday and stylistic rules. It does not instruct the agent to read files, call external endpoints, access environment variables, or transmit data externally. The behavior described is narrowly scoped to content generation.
Install Mechanism: okNo install spec or code files beyond SKILL.md and an evals.json are present. Because this is instruction-only, nothing is written to disk and no external packages or downloads are required.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The requested capabilities are proportional to a text-generation/entertainment skill.
Persistence & Privilege: okalways is false and the skill uses normal defaults (user-invocable, model invocation allowed). Autonomous invocation is platform-default and not by itself a red flag here. The skill does not request persistent system privileges or modify other skills.