Skillv1.0.0

ClawScan security

HPM Solver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 5, 2026, 2:43 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and requirements are consistent with a local game purchase-combination solver; it does not request credentials or install external artifacts and contains only local computation and local storage calls.
Guidance: This skill appears to do what it claims: offline computation to find purchase combinations for the named game. It does not request secrets or call external servers in the inspected files. Remaining practical considerations: 1) provenance — the Source/Homepage are missing and the owner identity is unknown; if you need strong trust guarantees, prefer a skill with a known author or public repository. 2) Local data — the mini-program saves price data and history to local storage; don't load sensitive data into those fields. 3) Review code yourself if you require higher assurance: look for any network/http calls not present in the supplied snippets (none were found). If you only need the solver logic, you can run the included scripts locally rather than granting any external runtime privileges.

Review Dimensions

Purpose & Capability: okName/description (HPM solver for game purchases) match the included code and data. The code implements price grouping, divisibility filtering and exhaustive search for purchase combinations. There are no unrelated credentials, binaries, or services requested. Note: the package has no homepage and 'Source' is unknown, which reduces external provenance but does not contradict purpose.
Instruction Scope: okSKILL.md and runtime instructions focus on the solver algorithm and how to run/interpret it. The included mini-program code only reads/writes local storage (wx.*) for prices and history and does not reference unrelated system files, credentials, or external endpoints.
Install Mechanism: noteThere is no install spec (instruction-only install path), which is low-risk. However, the bundle actually contains many code files (JS/Python/tests/mini-program). This is not dangerous by itself but is a mild inconsistency: an 'instruction-only' label in metadata vs many shipped source files—no external downloads or archive extraction are requested.
Credentials: okNo environment variables, credentials, or config paths are required. The skill uses only local price/history files and local storage; the amount and kind of access is proportional to the stated functionality.
Persistence & Privilege: okFlags: always is false and the skill does not request permanent/system-wide privileges. It persists user history and basePrices to local app storage (wx.getStorageSync / setStorageSync) which is expected for this UI; it does not modify other skills or global agent settings.