Back to skill
Skillv1.0.2
ClawScan security
Global Holidays · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 4:58 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions match its stated purpose (using the Python 'holidays' library to check/generate public holidays); nothing requested is disproportionate or unexplained.
- Guidance
- This skill appears coherent and limited to the Python 'holidays' library. Before installing/using it: (1) allow the agent to run pip/python only if you trust installing a PyPI package; prefer creating and using a virtual environment rather than --break-system-packages to avoid altering system Python; (2) pin to a specific version for production; (3) the skill will only read a custom holiday file if you explicitly supply the full path — never provide credentials or unrelated file paths; (4) note the SKILL.md mentions an alternate 'uv run' runner (documentation inconsistency) — confirm your runtime environment supports the documented commands if you plan to run examples.
Review Dimensions
- Purpose & Capability
- okName/description (global holidays) align with required binaries (python, pip) and the SKILL.md which documents using the Python 'holidays' package. The install step (pip install holidays) is appropriate for the declared functionality.
- Instruction Scope
- noteSKILL.md stays on-topic (fetching and merging holiday data, checking dates, handling user-provided custom holiday files). It explicitly instructs asking the user before reading any local file, which is good. Minor note: examples mention running via an alternate runner 'uv run' that is not declared as a required binary — this is a small documentation inconsistency, not a functional concern.
- Install Mechanism
- okInstallation is via pip (PyPI) which is expected for a Python library. The doc recommends using a virtual environment or pinning versions. This is a standard moderate-risk install mechanism and proportional to the skill's purpose.
- Credentials
- okNo credentials, config paths, or environment variables are requested. The skill only needs Python and pip to run example code; custom-holidays handling explicitly requires an explicit user-provided path before reading files.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated or persistent privileges. It does not instruct modifying other skills or system-wide configs.