Skillv1.0.2

ClawScan security

Medium Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 5:53 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill whose requested capabilities and runtime instructions align with its stated purpose (writing and preparing Medium articles); it requests no installs or credentials and appears internally coherent.
Guidance: This skill is an instruction-only writing assistant for Medium and appears coherent: it will help draft, optimize, and prepare pitches but does not itself publish or fetch analytics. Before using it, understand that (1) to actually publish or link Stripe/Medium accounts you'll need to provide those credentials to whatever UI or process you use — do not paste login tokens or passwords into chat unless you trust the destination, (2) the skill may ask you for article URLs or engagement data — be prepared to provide only the data you want shared, and (3) review generated content for plagiarism, accuracy, and compliance with Medium's policies before publishing. If you need the skill to perform automated publishing, require a version that explicitly declares the API credentials it needs and a trustworthy install mechanism.

Purpose & Capability: okName/description (write and publish Medium articles) match the SKILL.md prompts: article creation, SEO, pitching, and repurposing. Nothing in the manifest asks for unrelated binaries, cloud creds, or system access.
Instruction Scope: noteSKILL.md is purely prompt/instruction text (writing, headline generation, pitch drafts, submission guidance, analytics suggestions). Some entries refer to analyzing an article URL or engagement data — the skill does not itself request analytics credentials or describe how to fetch engagement metrics, so the agent would need user-supplied data to perform those steps. The instructions do not ask the agent to read system files or access unrelated secrets.
Install Mechanism: okNo install spec and no code files — lowest-risk model (nothing is written or executed by the skill itself).
Credentials: okThe skill requires no environment variables, credentials, or config paths. That is proportionate: while actual publishing to Medium would require Medium/Stripe credentials, the SKILL.md does not attempt to collect them automatically.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request permanent presence or system-wide configuration changes.