Back to skill
Skillv2.9.1
ClawScan security
productivity skill(yewubin) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 11:25 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's declared requirements and runtime instructions are consistent with a local, goal-driven productivity coach that reads/writes the platform's native memory and optionally uses calendar tools; nothing requested is disproportionate to its stated purpose.
- Guidance
- This skill appears to do what it says: a local-first productivity coach that reads/writes the platform's native memory and can set reminders or optionally sync to Google Calendar. Before enabling it, verify you are comfortable with the following: (1) the skill will ask to save your 5 core goals to MEMORY.md (granting persistent storage) — only approve if you want that data retained; (2) calendar sync is optional and uses user-initiated OAuth — don't enable it unless you want events mirrored to Google; (3) watch for the consent prompts during FIRST_TIME_SETUP and decline if you prefer session-only mode. The only minor inconsistency is wording around reminders being "non-negotiable" vs. "always ask" — confirm in the UI that the skill prompts before creating reminders/writes. If you need greater assurance, inspect the platform's implementation of the memory and schedule tools to see how consent and writes are enforced.
Review Dimensions
- Purpose & Capability
- okName/description (AI productivity coach) match the SKILL.md and supporting docs: the skill reads/writes MEMORY.md and daily notes, scores tasks, sets reminders, and optionally syncs to Google Calendar. No unrelated credentials, binaries, or hardcoded system paths are requested.
- Instruction Scope
- noteRuntime instructions are focused on the stated purpose (energy sensing, task scoring, calendar/list management, saving goals to MEMORY.md). They explicitly require user consent before writing to long-term memory and before OAuth calendar sync. Minor inconsistency: SKILL.md and PRIVACY.md state the skill "always asks for user confirmation" before scheduling/writing, while Calendar rules call setting a reminder "non-negotiable" — this is a behavioral wording mismatch to be aware of but does not indicate hidden behavior.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. No packages, downloads, or executables are written to disk by the skill itself — lowest install risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. Its declared tool permissions (memory, schedule, optional google-calendar MCP) are proportionate to a calendar/memory-based productivity coach.
- Persistence & Privilege
- noteThe skill reads and (with consent) writes the platform native MEMORY.md and daily notes; that persistence is expected and appropriate for a long-term personal coach. It is not always-enabled and does not request system-wide privileges. Because it can autonomously be invoked by agents (platform default), users should confirm they are comfortable granting write permission to the platform memory when asked.