Skillv1.0.6

ClawScan security

Doubao Capture · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 8, 2026, 9:07 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, declared requirements, and runtime behavior are internally consistent: it is an instruction-only Windows/WSL helper that expects an existing local Python script and integrates with other local skills in a YouTube-translation workflow.
Guidance: This skill is instruction-only and does not include the actual Python script it instructs you to run — it points to a script on your H: drive via WSL. Before using: (1) verify that scripts/capture_doubao_scroll_v2.py exists on the referenced path and inspect its contents to ensure it does only the expected GUI capture and file output (no hidden network calls or credential reads); (2) ensure you trust the source of that script and the other workflow skills (doubao-launch, audio-play); (3) be aware it requires a visible Windows desktop and will interact with the GUI; (4) run it in a controlled environment (sandbox or VM) if you are unsure. If you cannot inspect the script, avoid granting it access to sensitive directories or running it with elevated privileges.

Purpose & Capability: okThe name/description (capture Doubao translation output) match the SKILL.md instructions (run a local Python script to capture translated subtitles). No unrelated credentials, binaries, or network endpoints are requested.
Instruction Scope: noteInstructions are narrowly scoped to running a local script via WSL/python.exe with a provided HWND and writing output to a Windows 'works/' directory. They reference only UI automation constraints (visible desktop) and the expected integration inputs (window_handle from doubao-launch). Note: the skill assumes the presence of the script 'scripts/capture_doubao_scroll_v2.py' on the host; the package itself does not include that script.
Install Mechanism: okNo install spec and no downloads — instruction-only — so nothing is written by the skill bundle itself. This is low-risk, but it relies on an external/local script already present on the machine (openclaw.plugin.json entry points at /mnt/h/AI/.../capture_doubao_scroll_v2.py).
Credentials: okThe skill requests no environment variables, credentials, or config paths. It only references common Windows/WSL paths and an output directory appropriate for the stated task.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or modify other skill/system configs. It will run only when invoked and relies on local GUI automation capabilities.