Skillv1.1.0

ClawScan security

Content Repurposer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and behavior match its repurposing purpose, but the runtime prompts contain prompt-injection/chain-of-thought patterns (and a unicode-control-chars pre-scan hit) that could cause the agent to reveal internal reasoning or behave unexpectedly — review before use.
Guidance: This package mostly does what it says and stores its config under your home directory, but exercise caution before running it. Steps to consider: 1) Inspect and sanitize files: open SKILL.md and every script in a text editor that makes control characters visible (e.g., show invisibles) and remove any unexpected unicode-control characters. Remove or reword lines that ask the model to "think step-by-step" or "rate your confidence" (these induce chain-of-thought and can leak internal reasoning). 2) Check dependencies: confirm jq, html2text, iconv, curl, and any clawdbot tools come from trustworthy sources. html2text and similar utilities can be installed from official repositories. 3) Test in isolation: run the scripts in a sandbox or throwaway account first (not on sensitive content). The scripts can fetch remote URLs (curl or clawdbot web_fetch) — do not give private URLs or secrets to test runs. 4) Review config: the example config stores user.name, brand, and primary_cta; avoid putting API keys or secrets into config.json. The skill does not declare any credentials, but double-check before adding them. 5) Prefer removing mock/placeholder prompts and verify how real LLM calls are made: currently the scripts include MOCK_RESPONSE placeholders; when enabled to call the platform's LLM tool, ensure the 'clawdbot' tool (or other runner) is trusted and that you understand where data is sent. If you want, I can produce a cleaned version of the prompts that remove chain-of-thought instructions and flag invisible characters, or point out exact lines to edit.
Findings: [unicode-control-chars] unexpected: The scanner found unicode control characters in SKILL.md. These can hide or alter prompts and are commonly used in prompt-injection attacks to change parsing or instructions. For a repurposing tool this is unnecessary and should be removed; it increases the risk that an LLM will be manipulated at runtime.

Review Dimensions

Purpose & Capability: okName/description align with the included scripts: the tool reads a source file or URL, extracts key points, and generates platform-specific outputs. Required actions (reading ~/ .config, writing outputs, calling system tools like jq/curl/html2text/pbcopy) are proportionate to the stated purpose. The config schema, platform options, and file outputs are coherent.
Instruction Scope: concernThe scripts and SKILL.md instruct the agent to read user content and the user's config (~/.config/content-repurposer/config.json), which is expected. However, each platform prompt embedded in the scripts repeatedly asks the LLM to "think step-by-step" and "Rate your confidence" — this is an explicit chain-of-thought pattern that can prompt the model to reveal internal reasoning. The pre-scan detected unicode-control-chars in SKILL.md, which can be used to manipulate prompt parsing. These prompt patterns and hidden characters are scope-creep / prompt-injection risks and should be removed or sanitized.
Install Mechanism: okThere is no remote install/download — this is shipped as local scripts and an example config. That's low-risk. Note: the scripts assume external dependencies (jq, curl, html2text, iconv, pbcopy on macOS, and optionally a 'clawdbot' tool). Those dependencies are reasonable for the task but should be installed from trusted sources and audited prior to running.
Credentials: okThe skill declares no required environment variables or credentials and only reads a user-scoped config in ~/.config/content-repurposer/config.json. The config stores non-sensitive settings (voice, platform prefs, user.name/brand/primary_cta). No service API keys are requested. This is proportionate to the stated functionality.
Persistence & Privilege: okThe skill does create a config and a repurpose log under the user's home directory (normal for a CLI tool). It does not request 'always: true' and does not modify other skills or system-wide agent settings. It writes only to its own directories.