Skillv1.0.0

ClawScan security

Douyin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 7:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only Douyin script optimization skill whose declared requirements, instructions, and scope align with its stated purpose and request no extra privileges or credentials.
Guidance: This skill appears coherent and low-risk: it only uses the text you give it to diagnose and rewrite Douyin/TikTok-style short-video scripts and it requests no credentials or installs. Before installing: 1) note the small metadata mismatch (registry said no homepage while skill.json lists https://clawhub.ai) — minor but worth confirming the publisher if you need provenance. 2) Do not paste account credentials, private analytics, or proprietary tracking data into prompts — the skill doesn't need them. 3) Expect the assistant to ask for context about current trends or niche audience; the SKILL.md explicitly forbids fabricating trend certainty. 4) Test with non-sensitive example scripts to confirm outputs match your expectations and platform policy requirements. If you need higher assurance, ask the publisher for source/origin or a verification link before use.

Purpose & Capability: okName/description (Douyin short-form traffic and hook/retention work) matches the SKILL.md content and the listed capabilities. The skill does not request unrelated binaries, credentials, or config paths. Minor metadata inconsistency: registry summary showed no homepage while skill.json includes a homepage (https://clawhub.ai) and an author; this is a bookkeeping discrepancy but not a functional mismatch.
Instruction Scope: okSKILL.md is an instruction-only spec that tells the agent to parse user-provided topic/script, diagnose hook/retention issues, and propose rewrites. It does not instruct the agent to read system files, environment variables, hidden endpoints, or transmit data to external services. Guardrails requiring explicit trend/context are present.
Install Mechanism: okNo install spec and no code files to execute; lowest-risk format (instruction-only). There are no downloads, installers, or extracted artifacts.
Credentials: okThe skill declares no required environment variables, no primary credential, and the runtime instructions do not reference secrets or external credentials. There is no disproportionate credential request.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or modification of other skills/configuration. disable-model-invocation is default false (normal). Nothing here grants elevated or unusual privileges.