Back to skill
Skillv1.0.0
ClawScan security
伐谋 - 数据分析工具 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 6:11 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only data-analysis helper whose requirements and runtime instructions align with its stated purpose and do not request unexpected credentials or install steps.
- Guidance
- This skill is coherent for dataset analysis: it doesn't ask for credentials or install code. Before enabling, confirm that your agent environment uses the referenced paths (/mnt/user-data/uploads/ and /mnt/user-data/outputs/) and that you are comfortable the agent can read uploaded files placed there. Also note the skill declares it should be invoked whenever a user mentions data-analysis terms — consider whether you want it auto-triggered in all those cases. Finally, as with any data-processing tool, avoid uploading sensitive data unless you trust the agent/environment's storage and retention policies.
Review Dimensions
- Purpose & Capability
- okName/description (数据分析) matches the instructions: guidance on understanding, cleaning, transforming, and reporting on datasets. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- noteInstructions stay within data-analysis tasks (quality checks, cleaning rules, reporting format). It explicitly references local upload/output paths (/mnt/user-data/uploads/ and /mnt/user-data/outputs/) and runtime settings (encoding, matplotlib fonts), which is reasonable for a data skill but worth noting because the skill assumes access to those filesystem locations and will be triggered whenever the user mentions data analysis.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This minimizes on-disk footprint and external downloads.
- Credentials
- okRequires no environment variables, credentials, or config paths. The only environment assumptions are file locations and common encoding/font settings needed for data processing and visualization.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system modifications or elevated privileges. Autonomous invocation is allowed by platform default but not combined with other high-risk factors.