Skillv1.0.0

ClawScan security

Landing Page Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 12:48 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to do exactly what it advertises (generate static HTML from three inputs) and its files and instructions are internally consistent aside from a small metadata omission (it effectively requires bash).
Guidance: This skill is coherent and appears safe to run locally: it produces a self-contained HTML file from three text inputs and does not call external services or ask for credentials. Before installing or using it publicly, consider: (1) the script requires a bash-compatible shell even though metadata lists no binaries — ensure your environment provides bash; (2) inputs are not escaped, so do not feed untrusted or user-supplied content directly (an attacker could inject HTML/JS into generated pages); if you plan to publish pages that include external input, add proper HTML escaping or sanitization; (3) because there is no network activity and no secrets requested, the main operational risk is accidental XSS in generated pages rather than covert exfiltration.

Review Dimensions

Purpose & Capability: noteThe name/description match the provided code and example output: a simple landing-page generator. One minor inconsistency: registry metadata lists no required binaries, but the included script is a bash script (shebang /usr/bin/env bash and usage shows `bash generate.sh`), so a POSIX bash-compatible shell is actually required.
Instruction Scope: noteSKILL.md simply instructs the agent/user to run the provided script with three arguments and to redirect stdout to a file. The instructions do not read other files, environment variables, or contact external endpoints. Important security note: the script inserts user-supplied strings directly into the HTML without any escaping or sanitization, so if you pass untrusted input (or accept input from users), scripts or HTML could be embedded in the generated page (HTML injection / XSS when served). This is expected for a simple generator but is a behavioral detail you should be aware of.
Install Mechanism: okNo install spec (instruction-only plus a small script) — nothing is downloaded or written to the system by an installer. This is low risk and consistent with the skill's purpose.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. That is appropriate for a local static HTML generator and matches the instructions and files.
Persistence & Privilege: okThe skill is not always-enabled and does not request special persistent privileges. It does not modify other skills or system settings; it only contains a script the agent/user can run.