Skillv2.0.0

ClawScan security

Pinduoduo Listing · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 6:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (Pinduoduo product copy and listing helpers); it does not request credentials or perform network calls, but it does write usage logs to the user's data directory which you should be aware of.
Guidance: This skill appears to do what it says: local generation of Pinduoduo titles, descriptions and marketing copy. Before installing or running it: (1) Review the scripts yourself (they are included) if you have sensitive data—inputs are logged to a local data directory by default (~/.local/share/pinduoduo-listing). (2) If you prefer a different location, set PINDUODUO_LISTING_DIR to a directory you control. (3) Do not pass secrets or credentials into the tool (it does not need them and will log inputs). (4) If you want extra assurance, run the scripts in a restricted/sandbox environment first. The skill does not request network access or external credentials, so its footprint is limited and coherent with its purpose.

Purpose & Capability: okName/description describe Pinduoduo listing and copywriting; included scripts (pdd.sh and script.sh) generate titles, descriptions, group/price copy, headlines and maintain simple local logs—these are coherent with the stated purpose.
Instruction Scope: noteSKILL.md simply directs the agent to use the provided CLI-style commands. The runtime scripts generate text locally and do not call remote endpoints. However, the helper script writes usage/history to a local data directory (default ~/.local/share/pinduoduo-listing), so any inputs you pass to the commands will be logged locally.
Install Mechanism: okNo install spec is provided (instruction-only with bundled scripts). Nothing is downloaded at install time and no external packages are required, lowering installation risk.
Credentials: okNo required environment variables or credentials are declared. The scripts respect an optional PINDUODUO_LISTING_DIR/XDG_DATA_HOME for data storage but do not request secrets or remote API keys.
Persistence & Privilege: notealways:false and the skill does not attempt to modify other skills or system-wide configs. It does persist logs and a data file to a user data directory (by default under the user's home), which is normal for a CLI helper but is persistent storage of inputs.