ClawHub
Back to skill
v1.0.0

内容生成技能包

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:14 AM.

Analysis

The writing instructions look mostly benign, but the package has inconsistent identity metadata and asks for unexplained external tooling, an npm dependency, and a search API key.

GuidanceBefore installing, verify the publisher and package identity because the registry metadata and packaged _meta.json do not match. If you proceed, use a limited Brave API key and be aware that the declared npm package and command-line tools are not clearly justified by the visible content-writing instructions.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
_meta.json
"ownerId": "kn79yq0mt59bnzdp29kfgxsk0181j3b1", "slug": "content-generation"

This packaged metadata conflicts with the supplied registry metadata, which lists a different owner ID and slug. That creates provenance ambiguity about which publisher and package identity the user is actually installing.

User impactUsers may have difficulty verifying the package origin or whether this artifact was repackaged from another source.
RecommendationConfirm the publisher and package identity before installing, and prefer a build whose registry metadata and packaged metadata match.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
SKILL.md
requires: bins: ["curl", "jq", "git"] ... install: ... kind: node ... package: axios ... bins: ["axios"]

The skill declares local command requirements and an npm package install even though the visible content-generation instructions are instruction-only and do not clearly describe why these tools are needed.

User impactInstallation may add or rely on external tooling that is not obviously necessary for writing content.
RecommendationInstall only if you are comfortable with the declared tools and npm dependency, and verify that they are needed for your intended use.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
env: ["BRAVE_API_KEY"]

The skill requires a Brave API key. This is plausibly related to research, fact-checking, or SEO work, but it is still an external service credential.

User impactThe skill may use your Brave Search API quota and send search queries to that provider.
RecommendationUse a dedicated, limited API key where possible and monitor usage; only provide it if you want the skill to perform web-search-backed research.