Back to skill
Skillv1.0.1
ClawScan security
Fact Checker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 5:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, optional tools, and optional API keys are coherent with a multimodal fact‑checking purpose and do not request unrelated credentials or perform unexplained actions.
- Guidance
- This instruction-only skill appears internally consistent with a fact‑checking purpose. It will fetch and analyze user-provided URLs, images, and videos (and may download media to /tmp briefly). No environment variables are required, but you can optionally provide API keys (Google Fact Check, Brave Search, OpenAI) to enable extra features. Before installing, consider: (1) ensure you are comfortable allowing the skill to perform web searches and download user-supplied media for analysis, (2) optional tools (ffmpeg, exiftool, c2patool, whisper) increase analysis depth but are not required, and (3) if you lack a configured web search, the skill will not perform text verification until you set one up (it suggests Brave Search).
Review Dimensions
- Purpose & Capability
- okName/description (multimodal fact checking) aligns with the instructions and references: text/image/video pipelines, reverse image search, EXIF/C2PA checks, ffmpeg/whisper usage, and optional Google/Brave/OpenAI APIs. No unrelated secrets or binaries are required.
- Instruction Scope
- noteSKILL.md gives detailed, narrowly scoped runtime steps that stay within fact‑checking (web searches, WebFetch, reverse image search, metadata extraction, ffmpeg keyframe extraction, transcription). It requires access to arbitrary URLs and user‑provided media (expected), writes temporary files under /tmp, and conditionally calls optional CLI tools. Note: the text pipeline mandates having web search available and explicitly refuses to proceed without it for text verification — this is an operational dependency rather than a security incoherence.
- Install Mechanism
- okInstruction-only skill with no install spec and no downloaded code. Optional tooling is invoked only if present on PATH; recommended install commands are typical package manager invocations. No external arbitrary archive downloads or custom install scripts are present.
- Credentials
- okNo required environment variables or credentials. Optional env vars are appropriate and proportionate to functionality (GOOGLE_FACTCHECK_API_KEY for the Fact Check API, BRAVE_SEARCH_API_KEY for web search, OPENAI_API_KEY for Whisper API). No unrelated secrets or multiple unrelated credentials requested.
- Persistence & Privilege
- okSkill is not forced‑always, does not request elevated or cross‑skill configuration changes, and has default autonomous-invocation settings. It does not ask to persist credentials or modify other skills.