Skillv1.0.0

ClawScan security

X Brand Operator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 8:01 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions would need access to X/xurl app config, a Telegram bot/target, browser user profile, and filesystem paths, but it declares no credentials or config — these mismatches make the package internally inconsistent and worth caution.
Guidance: This skill intends to autonomously post and engage on X and to send Telegram alerts, but it does not declare any credentials or config locations. Before installing: (1) confirm where and how the xurl app config and Telegram bot token/target are provided and stored (metadata should declare required env vars or config paths); (2) verify you are comfortable with the skill using your browser 'user' profile (it may access logged-in sessions/cookies); (3) note it will write drafts to ~/Workspace/<brand>/... and read memory/social-log.json — check those paths and what data they contain; (4) test in a throwaway account/environment first to ensure behavior matches expectations; (5) ask the publisher for a clear credential/permission model (which env vars are required, how tokens are stored, whether Telegram uses a platform-provided 'message' tool or your own bot). These inconsistencies are not proof of malicious intent, but they are material and should be resolved before trusting the skill with real account credentials or enabling scheduled runs.

Review Dimensions

Purpose & Capability: concernThe skill claims to automate X/Twitter posting using 'xurl' and to send Telegram alerts. However, the registry metadata declares no required env vars or primary credential. The runtime instructions repeatedly call 'xurl --app <app>' and 'Send Telegram (channel: telegram, to: <telegram_id>)', which implies the need for an xurl app config and Telegram bot credentials or integration details. It also instructs using a browser profile 'user' (access to logged-in session). These capabilities are consistent with the stated purpose, but the lack of declared credentials/config makes the packaging incoherent: a legitimate implementation would normally require and declare the app id/token and Telegram bot token/target.
Instruction Scope: concernSKILL.md instructs the agent to: use xurl for search/post/reply/like/follow; fall back to an automated browser session (profile: user) to post; write Substack drafts to ~/Workspace/<brand>/substack/draft-YYYY-MM-DD.md; and read 'memory/social-log.json' for weekly reports. These are cross-cutting actions (network calls to X and Telegram, browser automation using the user's profile, and arbitrary file reads/writes) that go beyond a narrow, read-only helper. The instructions also reference placeholders (<app>, <telegram_id>, <brand>, <url>) without explaining where their secrets/config are stored. Reading 'memory/social-log.json' may touch unrelated agent memory/config.
Install Mechanism: okThis is an instruction-only skill with no install spec or code to download. That reduces supply-chain risk (nothing is written to disk by an install step).
Credentials: concernThe skill requests no required env vars in metadata, yet runtime steps clearly require credentials/config: an xurl app configuration and Telegram integration (bot token or channel config), and possibly access to browser profile cookies/sessions. It also assumes write access to the user's home directory. The absence of declared secrets or config paths is disproportionate to the skill's operational needs and creates uncertainty about where credentials are expected or how they will be provided/used.
Persistence & Privilege: noteThe skill is not 'always: true' and uses cron-style scheduled prompts in references/cron-config.md, so it is designed for recurring autonomous runs (the platform's normal mode). Autonomous scheduling + posting privileges increase blast radius (it can post on the account when scheduled), but that is expected for a social-posting automation skill. No indication the skill modifies other skills or system-wide settings.