Skillv1.0.0

ClawScan security

PowerfulHarp2041 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 12:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and runtime instructions match its stated purpose (estimating test effort and exporting Excel), but there are small inconsistencies (missing dependency declarations, language/encoding assumptions) and unclear runtime expectations that you should review before running.
Guidance: This skill appears to do what it says (estimate testing effort and produce an Excel). However: 1) The Python script depends on pandas (and an Excel writer) but the skill does not declare these dependencies or require Python — ensure your environment has Python and the necessary packages before running. 2) The code and sample data use Chinese text; provide inputs in the expected language or verify classification logic works for your input. 3) Run the script in a safe, write-permitted directory (it writes an Excel file) and review the generated Excel for correctness. 4) Because there is no install step, avoid letting an agent auto-install packages without user approval; explicitly inspect/approve any package installs (pip) if required. If you need stronger assurance, run the scripts in a sandbox or review/modify them locally to add explicit dependency checks (e.g., verify python and pandas versions) before executing.

Review Dimensions

Purpose & Capability: noteName/description (test-effort-estimator) align with included code and reference docs. The two scripts, references, and SKILL.md all implement test-effort estimation and Excel export. Minor mismatch: SKILL metadata/title is in English while the code, sample data and references use Chinese strings—this is not malicious but could cause classification errors if input language differs. Also the skill bundles a Python script that requires pandas (and an Excel writer backend) but the skill declares no runtime dependencies or required binaries.
Instruction Scope: okSKILL.md instructs the agent to analyze requirements, apply formulas, and run the bundled generate_excel.py to produce an Excel report. The instructions do not request reading unrelated system files, accessing environment secrets, or network endpoints. The runtime behavior described matches what the bundled script does (process requirement items and write an Excel file).
Install Mechanism: concernThere is no install specification. The bundled Python script uses pandas (and pandas.to_excel which typically requires an engine such as openpyxl or xlsxwriter). Because no dependencies or required binaries (python, pip, pandas, excel writer) are declared, an agent or user may attempt to run the script in an environment lacking them, leading to unexpected attempts to install packages or failure. This is an operational/packaging coherence issue rather than an active supply-chain red flag (no external download URLs or archives).
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The code does not read environment or sensitive system configuration. No excessive credential access is requested.
Persistence & Privilege: okThe skill does not request persistent presence (always: false) and does not modify other skills or global agent settings. The package_skill script writes an archive only when run locally; generate_excel.py writes an Excel file to the working directory. No elevated privileges are requested.