Skillv1.0.1

ClawScan security

Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 8:34 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it claims, but its calculator script uses Python eval on untrusted expressions in a way that can be abused to execute arbitrary code — it's coherent but unsafe as-distributed.
Guidance: This calculator is functionally correct but unsafe to run in environments where untrusted users or untrusted inputs can supply expressions. The immediate risk is arbitrary code execution via Python eval despite the attempt to restrict globals. Before installing or enabling this skill for agents that handle external input, either: (1) replace the eval-based evaluator with a safe expression evaluator (parse the expression to an AST and whitelist node types and function names, or use a vetted math-expression library such as numexpr, sympy's parsing with controlled locals, or a dedicated sandboxed evaluator), (2) add strict input validation that only allows digits, operators, parentheses, percent signs, and the exact function names listed (and rejects any '.' or '__' tokens and alphabetic characters outside the whitelist), or (3) run the script in a hardened sandbox where it has no access to sensitive files/credentials. If you are not comfortable with code changes, avoid using this skill in unattended or high-privilege agents. If you want, I can produce a patched version that evaluates expressions safely (AST-based whitelist) or suggest specific libraries and code examples for a secure implementation.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md, and the included scripts/calc.py are consistent: the skill is an instruction-only calculator and the code implements the advertised math functions. No unrelated binaries, credentials, or external services are requested.
Instruction Scope: concernSKILL.md directs running scripts/calc.py with a user-provided expression. The script evaluates that expression with Python's eval. Although it passes an empty __builtins__ and a whitelist of functions, attribute traversal on evaluated objects (e.g. via numeric literals' __class__ / __subclasses__ chains) can be used to escape the intended sandbox and access file I/O or execute code. The instructions do not warn users or limit inputs.
Install Mechanism: okNo install spec or external downloads; the skill is instruction-only with a single local Python script. No network fetch or package installation occurs during use.
Credentials: okThe skill requests no environment variables, credentials, or config paths — this is proportional to a local calculator.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request persistent system presence or modify other skills or system settings.