Skillv1.0.0

ClawScan security

x-twitter-growth · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:25 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions are coherent with an X/Twitter growth tool: it performs local analysis, content generation, and stores local snapshots, and it does not request credentials or reach out to external endpoints.
Guidance: This skill appears to do what it says: local profile audits, competitor analysis (from user-supplied data), content planning, and tweet drafting. Before running it: 1) Note the documentation suggests using a browser/search to collect competitor posts — the scripts themselves expect you to provide that data (via JSON or flags). Don't assume the tool will fetch data for you. 2) The growth_tracker will create and append JSONL files under a .growth-data directory (one level above the scripts); inspect those files if they will contain sensitive metrics. 3) There are no credential requests or network calls in the provided code, but if you plan to extend the skill to fetch data automatically, review any added networking code carefully. 4) Run the scripts in a controlled environment (or inspect the code) if you plan to process real account data — this reduces accidental data leakage or accidental uploads when you later integrate browsing/automation tools.

Review Dimensions

Purpose & Capability: noteName/description (X/Twitter growth, content creation, competitor research) match the included scripts: profile audit, competitor analysis, content planning, tracker, and tweet composer. Minor mismatch: SKILL.md and some docstrings mention 'scraping public info via web search' and instruct using the Brave browser, but the scripts themselves do not implement automated web requests or scraping — they expect either user-provided data or a JSON import for competitor/profile info. This is likely a documentation vs implementation inconsistency, not an indication of hidden capabilities.
Instruction Scope: noteRuntime instructions tell the agent/user to run the provided Python scripts and to perform web searches (e.g., site:x.com via Brave). The scripts operate on local data, accept JSON imports, and the growth_tracker writes snapshot lines to a local .growth-data directory. The instructions do not ask for or read system credentials or unrelated config paths. The only scope caveat: SKILL.md suggests browsing/scraping; the actual scripts require manual data collection or JSON imports, so following the SKILL.md may lead the user/agent to perform web browsing outside the script's code.
Install Mechanism: okNo install spec — code is delivered as plain Python scripts and a README-like SKILL.md. Nothing is downloaded or executed automatically beyond running the included scripts locally. This is low-risk from an install mechanism perspective.
Credentials: okThe skill requires no environment variables, credentials, or external tokens. It writes local data (./.growth-data) for the growth_tracker; that local storage is proportionate to tracking functionality but users should be aware of where data is stored.
Persistence & Privilege: okFlags show always:false and the skill is user-invocable. It does not request permanent inclusion nor attempt to modify other skills or system-wide agent settings. Its persistent effect is limited to local files it creates (the .growth-data directory).