ClawHub
Back to skill
v1.0.0

Bird Watching Mode

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:17 AM.

Analysis

The skill appears to do what it says—maintain a local bird-watching log—but it relies on an external SuperPicky helper and stores/export location and photo-path data.

GuidanceThis looks safe for its stated purpose if you trust the separate SuperPicky CLI dependency. Before installing, verify the SuperPicky path/source, use a project workspace you are comfortable writing to, and review bird.json or exported CSV files before sharing because they may include your location, notes, and local photo paths.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
Prerequisites: SuperPicky venv under **`$SUPERPICKY_CLI_SKILL`** ... If missing: **`$SUPERPICKY_CLI_SKILL/scripts/install.sh`**

The skill depends on another skill and its install script for region lookup and photo identification. This is disclosed and central to the stated purpose, but that external dependency is outside this artifact.

User impactIf the separate SuperPicky CLI installation is unsafe or replaced, this skill would run that external helper during bird-region lookup or photo identification.
RecommendationInstall SuperPicky CLI only from a trusted source and confirm that SUPERPICKY_CLI_SKILL points to the intended directory.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/identify_photo.py
cmd: List[str] = [str(run_sh), "--birdid", "identify", f"-t{top}", str(image)] ... proc = subprocess.run(cmd, capture_output=True, text=True, check=False)

Photo identification is implemented by executing the external SuperPicky run.sh helper. The command is built as an argument list rather than a shell string and is aligned with the skill purpose.

User impactUsing photo identification runs local helper code and processes the selected image file.
RecommendationUse absolute paths as instructed, verify the helper path, and only run photo identification on files you intend the helper to process.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
scripts/bird_log_schema.md
`location_query` | string | Place string from user. ... `image_path` | string or null | Local path if photo. ... `birdid_stdout` | string or null | Raw BirdID output if captured.

The skill intentionally persists birding location, observation details, local image paths, and optional raw BirdID output in workspace/bird.json.

User impactYour birding locations, notes, and local photo paths can remain in the project workspace and may appear in exported files.
RecommendationReview workspace/bird.json and exported CSVs before sharing, and avoid using sensitive photo paths or notes if you do not want them stored.