Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Calculator
v1.0.1Accurate mathematical calculations. Use when user needs to compute: (1) Basic arithmetic (+, -, *, /), (2) Powers and roots (^, sqrt), (3) Percentages, (4) T...
⭐ 1· 1.1k·25 current·26 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, SKILL.md, and the included scripts/calc.py are consistent: the skill is an instruction-only calculator and the code implements the advertised math functions. No unrelated binaries, credentials, or external services are requested.
Instruction Scope
SKILL.md directs running scripts/calc.py with a user-provided expression. The script evaluates that expression with Python's eval. Although it passes an empty __builtins__ and a whitelist of functions, attribute traversal on evaluated objects (e.g. via numeric literals' __class__ / __subclasses__ chains) can be used to escape the intended sandbox and access file I/O or execute code. The instructions do not warn users or limit inputs.
Install Mechanism
No install spec or external downloads; the skill is instruction-only with a single local Python script. No network fetch or package installation occurs during use.
Credentials
The skill requests no environment variables, credentials, or config paths — this is proportional to a local calculator.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent system presence or modify other skills or system settings.
What to consider before installing
This calculator is functionally correct but unsafe to run in environments where untrusted users or untrusted inputs can supply expressions. The immediate risk is arbitrary code execution via Python eval despite the attempt to restrict globals. Before installing or enabling this skill for agents that handle external input, either: (1) replace the eval-based evaluator with a safe expression evaluator (parse the expression to an AST and whitelist node types and function names, or use a vetted math-expression library such as numexpr, sympy's parsing with controlled locals, or a dedicated sandboxed evaluator), (2) add strict input validation that only allows digits, operators, parentheses, percent signs, and the exact function names listed (and rejects any '.' or '__' tokens and alphabetic characters outside the whitelist), or (3) run the script in a hardened sandbox where it has no access to sensitive files/credentials. If you are not comfortable with code changes, avoid using this skill in unattended or high-privilege agents. If you want, I can produce a patched version that evaluates expressions safely (AST-based whitelist) or suggest specific libraries and code examples for a secure implementation.Like a lobster shell, security has layers — review code before you run it.
arithmeticvk97ct5twq7rdd0hx1ta8c0hjmd827p31calculatorvk97ct5twq7rdd0hx1ta8c0hjmd827p31latestvk97ct5twq7rdd0hx1ta8c0hjmd827p31mathvk97ct5twq7rdd0hx1ta8c0hjmd827p31
License
MIT-0
Free to use, modify, and redistribute. No attribution required.