Back to skill
Skillv1.0.0
ClawScan security
Growth Hacker (Early Stage) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 10:02 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only 'growth hacker' skill whose requested capabilities and files match its stated purpose; it contains tactical marketing playbooks but asks for no credentials or installs.
- Guidance
- This skill is internally coherent and contains practical growth tactics, but review before acting: many tactics (coordinated upvotes, cold emailing, scraping contacts) can violate platform policies or anti-spam laws—use only compliant methods and obtain consent. Because the skill names third‑party services, be mindful that integrating those services will require you to supply and protect API keys or account credentials separately (the skill does not request them). If you plan to automate actions, audit the automation for policy/legal risk and limit any agent autonomy when performing outreach or platform interactions.
Review Dimensions
- Purpose & Capability
- okName/description align with the content. The SKILL.md and channel playbooks provide tactics for acquisition, activation, retention, referrals, and A/B testing; there are no unexpected binaries, env vars, or config paths required.
- Instruction Scope
- noteInstructions stay within growth/marketing scope (channel tactics, referral mechanics, measurement). Some recommendations (organizing upvotes, mass cold outreach, use of email-finding tools) raise ethical/platform‑policy and legal considerations (spam laws, site rules), but they are consistent with a growth playbook rather than indicating hidden or unrelated behavior.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill that does not write to disk or fetch external code. This is the lowest-risk install profile.
- Credentials
- noteThe skill declares no required environment variables or credentials. The guide names third-party tools (Posthog, GrowthBook, Apollo.io, Hunter.io, Resend, Beehiiv, etc.) which, if you choose to use them, will require separate credentials handled outside this skill. That is proportionate but users should be aware they must provide and protect those credentials when integrating tools.
- Persistence & Privilege
- okalways is false, no config paths or system modifications, and the skill does not request permanent presence or elevated privileges. Autonomous invocation is allowed by default on the platform but is not unusual or excessive here.