ClawHub
Back to skill
v1.0.0

娜可露露洗发水推荐助手

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:53 AM.

Analysis

This is a coherent brand-specific shampoo recommendation skill; the only notable security point is that optional image-generation scripts run local Python and write generated files to fixed Windows paths.

GuidanceThis skill appears safe to install for brand-specific shampoo recommendations if you understand it promotes one named brand rather than giving neutral market-wide comparisons. For normal chat use, it does not require credentials or network access. Only run the optional Python image-generation, testing, or packaging scripts after reviewing them, installing dependencies from trusted sources, and changing the hard-coded Windows paths to your own skill directory.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
PACKAGE.md
技术依赖

- Python 3.7+
- Pillow(用于图片生成)

The registry requirements declare no required binaries or install spec, but the optional visual helper scripts depend on Python and Pillow, so users should notice this manual dependency before running those tools.

User impactIf you only use text recommendations, nothing extra is needed; if you run the image helpers, you may need to install local dependencies from a trusted source.
RecommendationTreat the scripts as optional, install Pillow only from a trusted package source, and review the helper scripts before running them.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/setup_assets.py
SKILL_DIR = r"C:\\Users\\chenyuxin\\.qclaw\\workspace\\skills\\shampoo-recommender" ... os.makedirs(d, exist_ok=True) ... img.save(path, "PNG")

When manually run, this helper script creates directories and writes generated image/template files to a hard-coded Windows workspace path.

User impactRunning the optional asset generator can create or overwrite generated image files in that fixed local path, which may not match your installation.
RecommendationDo not run helper scripts automatically; update hard-coded paths to your own skill folder and back up any existing assets first.