Skillv0.1.3

ClawScan security

Community Demand Prospecting · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 8, 2026, 1:07 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested artifacts, templates, and runtime instructions are consistent with its stated goal of auditing products and drafting safe community outreach; it requires no installs, credentials, or unusual privileges.
Guidance: This skill appears coherent and contains helpful templates and guardrails, but before installing consider: (1) Do not provide platform credentials — the skill is designed to create drafts, not to post on Reddit/X. (2) Review every draft before publishing and keep a human in the loop to avoid policy violations or deceptive messaging. (3) Ensure any outreach complies with the target platforms' terms of service and subreddit/account rules. (4) If you plan to extend the skill to actually post messages, require explicit confirmation and separate secure credential handling; otherwise keep it as a drafting/research tool only.

Review Dimensions

Purpose & Capability: okName and description (repo/product audit, market research, positioning, and drafting outreach) line up with the provided templates and reference documents. There are no unrelated required binaries, env vars, or config paths that would be out of scope for the stated purpose.
Instruction Scope: noteSKILL.md and the reference files focus on research, scoring threads, and producing draft replies; they default to human-in-the-loop and explicitly discourage mass posting and deceptive automation. The instructions assume the agent can analyze user-supplied artifacts (README, repo, landing page) and search public conversations; they do not instruct the agent to post on platforms or to access platform credentials. The SKILL.md appears truncated in the provided snippet but the included reference materials show a coherent, scoped workflow. Recommend confirming that the agent will only produce drafts and will not autonomously post to Reddit/X or request account credentials.
Install Mechanism: okNo install spec and no code files — instruction-only skill. This minimizes disk writes and runtime installation risks.
Credentials: okThe skill declares no required environment variables, no primary credential, and no config paths. That is proportionate for a market-research and outreach-drafting skill which only needs text inputs and public web searches.
Persistence & Privilege: okalways:false and default agent invocation settings. The skill does not request persistent presence or elevated system modification privileges, and it does not attempt to modify other skills or system-wide agent settings.