Skillv2.0.0

ClawScan security

Meme Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 6:48 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to do what it says (generate meme text/templates) and does not request credentials or perform network exfiltration, but it includes executable shell scripts and lacks an explicit install step — review before allowing execution.
Guidance: This skill appears to be coherent and not overtly malicious: it generates meme templates and captions, doesn't ask for secrets, and doesn't make network calls. Before installing/allowing execution, consider: 1) The package includes two shell scripts that will create ~/.local/share/meme-generator (or the directory you set) and append to data.log and history.log — review those files if you care about local writes. 2) There is no install spec to put a 'meme-generator' binary on PATH; the SKILL.md examples assume such a command exists — confirm how these scripts will be invoked in your environment. 3) If you will permit autonomous invocation, be comfortable with the agent running included shell scripts. If uncertain, run the scripts in a sandbox or inspect them line-by-line (they are short and readable) and verify the upstream source/homepage before use.

Purpose & Capability: noteName/description match the included functionality: templates, caption and generate commands. The provided scripts implement a small CLI that lists templates and writes local data. Minor mismatch: SKILL.md examples call a 'meme-generator' command but there is no install spec that would place these scripts on PATH — plausible but worth noting.
Instruction Scope: okSKILL.md instructs the agent to run the CLI commands and configure MEME_GENERATOR_DIR. The included scripts only read their arguments and write/read files under a data directory; they do not access unrelated system paths, environment secrets, or external endpoints.
Install Mechanism: noteNo install spec is provided (instruction-only). Code files (two shell scripts) are included but there's no mechanism described to install them as a 'meme-generator' command. This is not dangerous by itself but is an operational inconsistency users should be aware of.
Credentials: okThe skill requests no environment variables or credentials. It supports an optional MEME_GENERATOR_DIR for data location, which is proportional to its functionality.
Persistence & Privilege: okalways is false and the skill does not request system-wide privileges. The scripts create and write to a data directory in the user's home (default ~/.local/share/meme-generator) — normal for a local CLI but worth noting as persistent local storage.