Skillv1.0.0

ClawScan security

brand-slogan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 21, 2026, 6:46 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only Chinese brand-slogan generator whose requirements and instructions are consistent with its stated purpose and request no unexpected credentials or installs.
Guidance: This skill appears coherent and safe in that it asks for nothing outside slogan generation. Before installing, consider: (1) The skill will auto-run when triggered by certain keywords and will not ask clarifying questions — if you want to review or confirm inputs first, do not enable autonomous use. (2) It explicitly uses web search to fill missing brand data and will parse any uploaded PPT/PDF — do not upload sensitive or confidential materials. (3) Example content includes medical/health claims (e.g., '降血脂') — verify legal/regulatory compliance for any claims before using outputs publicly. (4) The SKILL.md references keeping 'logs' but does not state where they are stored; prefer not to provide secrets or highly sensitive files to the skill. If these behaviors are acceptable, the skill is proportionate to its stated purpose.

Review Dimensions

Purpose & Capability: okName, description and runtime instructions all describe generating 7×7 slogan candidates and ranking them; there are no declared env vars, binaries, or installs that are unrelated to copywriting. Requested behaviors (web search to supplement missing brand info, parsing uploaded brand files) are reasonable for the stated purpose.
Instruction Scope: noteSKILL.md gives concrete, narrowly scoped instructions for generating and scoring slogans (language, rhyme rules, length, scoring rubric). It also instructs the agent to perform WebSearch when brand info is insufficient and to parse uploaded PPT/PDF files — these are coherent with the goal but mean the agent will access external web results and any user-uploaded files. The instructions also force 'do not ask, execute directly' and silent error handling, which may produce output without opportunity for clarification; this is a behavioral design choice rather than a hidden capability.
Install Mechanism: okNo install spec and no code files — instruction-only skill. Nothing is downloaded or written to disk by the skill package itself.
Credentials: okThe skill declares no environment variables, credentials, or config paths. All required access (web search, uploaded files) is consistent with slogan generation and no unrelated secrets are requested.
Persistence & Privilege: noteFlags indicate default invocation (not always: true) and no autonomous always-on privilege. The SKILL.md mentions logging ('低分版记入 logs') but provides no destination for logs; this is a minor transparency note — the skill itself does not request system-wide config changes or cross-skill privileges.