Calculator
WarnAudited by ClawScan on May 18, 2026.
Overview
The calculator is mostly coherent, but it evaluates the requested expression with Python eval, which can let a crafted “calculation” run code on the local machine.
Use caution before installing. The skill appears intended to be a calculator and does not show exfiltration or persistence, but its use of Python `eval` is unsafe for untrusted expressions. Prefer a version that uses a dedicated safe math parser.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent or user passes a crafted non-math expression, it may be possible to execute code in the local Python process instead of only computing a number.
The script takes the user-supplied command-line expression and evaluates it as Python code. Removing builtins reduces some risk but does not make Python eval a safe math parser.
expression = ' '.join(sys.argv[1:])
...
result = eval(expr, {"__builtins__": {}}, safe_dict)Replace `eval` with a safe math expression parser or an AST-based whitelist that allows only numeric literals, approved operators, and approved functions. Until then, only use this skill with trusted, simple math expressions.