Skillv1.0.0

ClawScan security

不同方位倾斜面辐射量计算 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 10:50 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (calculating tilted-surface radiation from a NASA POWER–style Excel); minor metadata mismatches were found but there is no evidence of data exfiltration or excessive privileges.
Guidance: This skill appears to do what it says: it reads a user-specified NASA-POWER style Excel, computes tilted-surface radiation using Hay’s model and writes an output Excel. Before installing or running: 1) Note the minor metadata mismatch — SKILL.md lists 'curl' and 'pandas' as requirements but the included script only needs Python 3 and openpyxl (install openpyxl if missing). 2) Only run the script on input files you trust; it will load any file path you provide, so do not point it at sensitive system files. 3) Verify the input Excel matches the expected sheet/column names (the script expects a '气象数据' sheet and specific column layout from metdata-nasa-access). 4) Be aware the azimuth handling uses a simplified empirical correction for non-zero azimuths (documented in the code); if you require high-precision azimuth handling, validate results against a reference implementation. There are no signs of network exfiltration or secret access in the code.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, SKILL.md, and included Python script are consistent: they read a NASA-POWER-style Excel and compute tilted-surface radiation. However the SKILL.md metadata lists extra runtime requirements (curl and the Python package 'pandas') that the code does not use (the script imports only openpyxl). Requesting 'curl' and 'pandas' is unnecessary for the provided implementation and is a small mismatch to be aware of.
Instruction Scope: okRuntime instructions restrict the agent to reading a user-supplied input Excel (expected structure from metdata-nasa-access), running the included script, and returning a generated Excel. The script only reads the specified input path and writes an output file; it does not access other system files, environment variables, or external endpoints. It references the other skill’s output (metdata-nasa-access), which is expected.
Install Mechanism: okThis is an instruction-only skill with one included Python script and no install spec. Nothing is downloaded or installed automatically by the skill bundle itself.
Credentials: okThe skill declares no required environment variables or credentials and the script does not access secrets. The only runtime requirements are Python and openpyxl (and SKILL.md metadata also lists pandas, which is not used). No sensitive system paths or other skills' credentials are requested.
Persistence & Privilege: okThe skill is not forced to be always-loaded, does not modify other skills or system-wide agent settings, and does not request persistent privileges.