Back to skill
Skillv2.0.0
ClawScan security
Poem Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 17, 2026, 6:58 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent with its stated purpose (poem-generation); it contains local helper scripts that generate prompts and store simple usage logs locally, with no network calls or extra credentials requested.
- Guidance
- This skill appears to do what it says: provide poem templates and generate text. Before running, review the included scripts (they are small and readable). Be aware it will create a data directory (default: $XDG_DATA_HOME or $HOME/.local/share/poem-generator) and append simple usage/history logs to history.log; if you prefer a different location, set POEM_GENERATOR_DIR. There are no network calls or credential requests. Also note the SKILL.md shows a 'run' example not implemented in the scripts — a documentation mismatch rather than malicious behavior. Avoid running scripts as root unless you understand and want the files placed in system paths.
Review Dimensions
- Purpose & Capability
- okName/description (poem generation, haiku, couplets, etc.) matches the included files: shell scripts provide templates and commands for generating various poem types. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- noteSKILL.md and scripts primarily provide prompt templates and CLI wrappers. Minor inconsistency: SKILL.md example shows 'poem-generator run' but the provided scripts expose commands like write/haiku/couplet and a different CLI verb set (script.sh uses draft/headline/seo etc.). This is a documentation mismatch but not a security issue. The runtime instructions do not ask the agent to read arbitrary system files or send data externally.
- Install Mechanism
- okNo install spec; instruction-only plus two local shell scripts. No downloads, package installs, or extraction from remote URLs.
- Credentials
- noteThe scripts read standard environment variables (POEM_GENERATOR_DIR, XDG_DATA_HOME, HOME) to choose a local data directory and create files there. No secrets/credentials are requested. Note: the skill will create and append logs under the data directory (default: $XDG_DATA_HOME or $HOME/.local/share/poem-generator).
- Persistence & Privilege
- okalways:false and no special privileges. The only persistent effect is writing a history.log under the skill's data directory; it does not modify other skills or system-wide settings.