Skillv1.0.0

ClawScan security

Dolphindb · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 9:22 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is an instruction-only documentation bundle for DolphinDB (large set of markdown docs and examples); its declared requirements and behavior are consistent with that purpose and it does not request credentials, install software, or require elevated privileges — however, the SKILL.md contains detected unicode control characters which should be reviewed before use.
Guidance: This skill appears to be what it claims: a large offline copy of DolphinDB docs and three whitepapers. It does not request credentials or install code. Recommended precautions before installing/using: 1) Inspect SKILL.md and README for invisible unicode control characters (the scanner flagged 'unicode-control-chars') and remove them if present. 2) Do not execute sample commands that load plugins or .so files (e.g., loadPlugin('/path/to/backtest_plugin.so')) unless you trust the plugin source. 3) Be cautious following any doc that collects system identifiers (doc_5208.md about server fingerprint for licensing) — those steps may gather sensitive host information; only follow them if you understand the implications and trust the destination. 4) If you plan to place the skill into a global skills directory, prefer a project/local installation first to confirm behavior. 5) If you will use generated scripts from the skill, review them before running in production.
Findings: [unicode-control-chars] unexpected: The scanner found unicode control characters inside SKILL.md (prompt‑injection signal). For a documentation-only skill this is unexpected and could be used to influence model parsing or display. This is not proof of maliciousness, but you should inspect SKILL.md (and other files) for invisible characters and remove them if undesired.

Review Dimensions

Purpose & Capability: okName/description claim a DolphinDB documentation/guide and the repo contains ~1490 docs + 3 whitepapers and examples. There are no unrelated environment variables, binaries, or install specs requested — this is proportionate for a documentation skill.
Instruction Scope: noteSKILL.md and README are documentation and usage guidance for invoking the skill in AI agents (VSCode/Copilot etc.) and include code examples for DolphinDB. They do not instruct the agent to read system config, access unrelated credentials, or exfiltrate data. A few docs reference loading plugins (e.g., loadPlugin('/path/to/backtest_plugin.so')) and a whitepaper/doc about collecting server fingerprints (doc_5208.md) — these are part of upstream product docs and not execution instructions of the skill itself, but you should not blindly run suggested commands or load .so plugins from untrusted sources.
Install Mechanism: okNo install spec and no code files that will be executed by the platform; the skill is instruction-only (markdown files). This minimizes disk write or remote-download risk from the skill metadata itself.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The included docs reference product behaviors (e.g., snapshotDir, plugin paths) inherent to DolphinDB but the skill metadata does not require secrets or unrelated credentials.
Persistence & Privilege: okalways is false and there is no install activity or automatic modification of agent/system configs. The skill is user-invocable and can be invoked autonomously per platform defaults — expected for skills of this type.