Back to skill
Skillv1.0.0
ClawScan security
Cst Time · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:41 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose — a small, instruction-only CST (China Standard Time) helper — and does not request disproportionate permissions, credentials, or installs.
- Guidance
- This skill is small and coherent: the bundled run.sh merely prints the current time in Asia/Shanghai and the documentation contains language-specific examples and optional API calls. Things to consider before installing: (1) the publisher and homepage are unknown — if you prefer vetted sources, review the files yourself; (2) some examples show external APIs (TimezoneDB, Google) that require API keys — only provide those keys if you trust the caller and store them securely; (3) running scripts from any third party always carries risk — inspect run.sh (it's benign here) before execution.
Review Dimensions
- Purpose & Capability
- okName/description match the contents: SKILL.md and run.sh only provide ways to obtain/format CST and convert time zones. There are no unrelated credentials, binaries, or installation steps requested.
- Instruction Scope
- okRuntime instructions only show local commands (date/TZ), language examples (Python, JS, Java, etc.), and optional API examples. They do not instruct reading unrelated files, harvesting environment variables, or transmitting local data to unexpected endpoints.
- Install Mechanism
- okNo install spec; the skill is instruction-only plus a tiny run.sh (prints date in Asia/Shanghai). Nothing is downloaded or written to disk by an installer.
- Credentials
- okThe skill declares no required environment variables or credentials. The SKILL.md contains example API calls that mention API keys (placeholders) but does not require them; this is proportional for optional external API usage.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-wide changes or elevated privileges. Autonomous invocation is allowed (platform default) but is not combined with other concerning behaviors.