Skillv1.0.0

ClawScan security

Content Hot Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 3:05 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (tracking hot topics and producing content ideas) matches the instructions: it only uses web searches and generates suggestions, requests no credentials or installs, and does not ask for unrelated access.
Guidance: This skill appears internally consistent: it searches public web results and generates topic/title suggestions without requesting credentials or installing software. Things to consider before installing: (1) “real-time” monitoring is limited to running searches — if you need true streaming/continuous monitoring you may need an implementation that polls or uses platform APIs. (2) Some Chinese platforms may be rate-limited or require a VPN or official APIs; the SKILL.md notes this but does not implement VPN or API auth. If you later provide API keys for Weibo/抖音/etc., confirm those keys are only used for the stated purpose. (3) Check the agent’s web_search provider and its privacy/TOS (search results provider may fetch content that requires login). If you need deeper platform integrations, prefer explicit API-based skills that request only the necessary credentials.

Review Dimensions

Purpose & Capability: okThe name and description claim multi-platform hotspot tracking and content suggestions, and the SKILL.md shows exactly that: it instructs the agent to use a web_search tool with platform-specific queries and to produce topic lists, trend analysis, and title suggestions. There are no unrelated required binaries, env vars, or config paths.
Instruction Scope: okRuntime instructions are narrowly scoped: they provide search query formats, analysis heuristics (rising/steady/declining), and output templates. The instructions do not ask the agent to read local files, access system env vars, or send data to external endpoints other than performing web searches. One caveat: the SKILL.md uses the phrase “实时监控” (real-time monitoring) but only specifies web_search queries — true real-time pushing or streaming is not implemented in the instructions, so expectations about latency should be tempered.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk. That minimizes install-time risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is proportionate: tracking public hot topics via web_search does not require secrets. If a later integration with platform APIs is added, auth would be expected then.
Persistence & Privilege: okalways is false and the skill does not request persistent system privileges or to modify other skills. Autonomous invocation is allowed (default) but that is normal and not combined with other high-risk capabilities.