Skillv0.1.0

ClawScan security

Chief Creative Officer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 15, 2026, 8:31 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions fit a 'Chief Creative Officer' role but contain contradictions and require creating, persisting, and attaching complete meeting-minute documents to external tools/LLMs (which can leak user content) while not declaring those tool dependencies in the metadata.
Guidance: This skill largely does what a CCO coordinator would do, but before installing you should verify: (1) which platform tools (google_search, baidu_search, url_scraping, wiki_retriever, create/append wiki, delegated LLM endpoints) are actually available to the agent and whether the skill's metadata has been updated to declare them; (2) who can access the created meeting-minute and final report (access control, retention policy) — the skill writes and repeatedly sends full meeting transcripts to external tools/LLMs which can leak sensitive info; (3) whether the delegated LLM endpoints are trusted and whether attaching the meeting file to every model call is acceptable; (4) clarify the contradiction about 'subordinate models are offline' vs. using web searches. If you proceed, test with non-sensitive sample tasks first and confirm data retention and sharing policies for created wiki documents.

Review Dimensions

Purpose & Capability: noteName and description match the behavior: decomposing creative tasks, coordinating models, and producing a final plan. However the SKILL.md mandates use of many platform tools (search, url_scraping, wiki document creation, subordinate LLM calls) that are not listed in the skill's declared requirements/metadata — the skill effectively requires platform capabilities beyond what the registry metadata states. Asking the agent to create persistent 'meeting minute' documents and attach them to model calls is a legitimate part of the CCO workflow, but it increases the skill's scope compared with the empty requirements declared.
Instruction Scope: concernThe instructions require: (1) creating a persistent wiki 'meeting minute' at the start and a refined report at the end; (2) appending every assignment and every subordinate model output into that document; (3) attaching that meeting-minute file to downstream LLM calls and the final submit_result call. This creates a broad data-handling surface: user-provided content (including potentially sensitive info) will be written and sent to multiple external tools/LLMs. There is a notable internal contradiction: the doc both instructs use of web-search/url-scraping tools and also states subordinate models are 'offline' and cannot perform web searches, which is ambiguous and gives the agent wide discretion. The workflow also mandates always recording everything, increasing risk of persistent exposure.
Install Mechanism: okNo install spec and no code files — lowest file-system risk from this package itself. The risk arises from tools it instructs the agent to call (wiki creation, search, url scraping, external LLMs), but nothing is downloaded or written by the skill package directly.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. However, it repeatedly instructs sending the meeting-minute document and final report to external tools/LLMs (via attached_files) and to web-scraping/search endpoints. Even without explicit credentials, these actions can leak user content to third parties. The skill does not explain data residency, access control, or retention for the created wiki documents.
Persistence & Privilege: notealways:false (not force-included) and no global config modifications are requested, which is appropriate. But the skill mandates creating persistent meeting-minute wiki documents that serve as the team's only memory — this implies long-lived stored artifacts. That persistent storage and the requirement to attach those files to multiple model calls increases the blast radius if the storage or the delegates are not trusted.