Skillv1.0.0

ClawScan security

DoctorClaw Content Repurposer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 1:03 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, requirements, and behavior are coherent with a content-repurposing tool and request no elevated access or unusual installs.
Guidance: This skill appears to do what it says: convert one piece of content into multiple platform-ready outputs. Before installing or enabling integrations, consider: only paste content you want processed (don’t paste secrets or sensitive drafts); if you connect social accounts or RSS feeds, grant minimal OAuth scopes and review scheduled posts before publishing; be cautious with private URLs (the agent may fetch them); and if you enable automation (RSS watching/auto-posting), audit the automation settings and revoke access if you stop using them. No installs or credentials are required to use the core repurposing functionality.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md describes ingesting a piece of long-form asset and producing platform-formatted outputs. The skill declares no binaries, env vars, or installs, which is proportionate for this purpose. The only capabilities beyond text transformation are optional (posting/scheduling, RSS watching) and are presented as integrations you must enable; they are not required by the core skill.
Instruction Scope: noteRuntime instructions are specific and limited to ingesting content (pasted text, URL, or file path), extracting core elements, and generating platform outputs. This stays within the stated purpose. Note: the doc instructs the agent to fetch content from URLs and accept local file paths — legitimate for the task, but these actions involve network access and reading user files when used.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is written to disk or downloaded by default. That is the lowest-risk install profile and appropriate for the described functionality.
Credentials: noteThe skill requests no environment variables or credentials by default. It suggests optional integrations (platform accounts for direct posting, RSS feed watchers) which, if enabled, will require credentials — that is expected but should be limited to the minimal OAuth/scopes necessary for posting/scheduling.
Persistence & Privilege: okalways:false and user-invocable:true; the skill does not request persistent system presence by default. The doc mentions optional 'auto-repurpose on publish' and scheduling features — these would create ongoing behavior only if you deliberately configure integrations or automation.