Back to skill
Skillv1.0.0
ClawScan security
学习指南网页生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 3, 2026, 9:12 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with its stated purpose (generate single-file interactive HTML study guides); it requests no credentials or installs and the example file contains only static HTML/CSS/JS and CDN references.
- Guidance
- This skill appears coherent and low-risk: it's instruction-only, asks for no credentials, and the example file is static and self-contained apart from common CDN links. Before installing, consider: (1) the SKILL.md explicitly instructs the agent to trigger the skill for many related prompt variants — if you don't want frequent automatic invocation, restrict or review triggering rules in the agent’s skill permissions; (2) inspect any generated HTML before publishing (ensure it contains no unexpected network fetches or inline links you don't want); (3) review the example content for subject-matter sensitivity or policy compliance (the example includes political/ideological phrasing that you may want to edit for neutrality); and (4) if you need auditability, confirm the agent logs when it invokes this skill so you can monitor usage.
Review Dimensions
- Purpose & Capability
- okName/description promise: generate single-file interactive study-guide HTML. The skill is instruction-only, requests no binaries, env vars, or installs—consistent and proportionate to that purpose. No unrelated credentials or tools are asked for.
- Instruction Scope
- noteSKILL.md tightly specifies UI/JS/Tailwind patterns and tells the agent to use the included example (examples/example-guide.html) as a reference — reading the example file is expected for this task. The SKILL.md also instructs the agent to 'must trigger' this skill for many user phrasing variants; this is an aggressive invocation policy (behavioral/UX concern) but not a technical data-exfiltration issue. There are no instructions to read unrelated system files or transmit data to external endpoints beyond using public CDNs for Tailwind and FontAwesome.
- Install Mechanism
- okNo install spec; instruction-only skill (lowest install risk). Example HTML references public CDNs (tailwindcdn, cdnjs) which is normal for front-end assets.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. Nothing requested is disproportionate to generating HTML files.
- Persistence & Privilege
- noteSkill flags are default (always:false, autonomous invocation allowed). However, the SKILL.md text tries to force the agent to use this skill whenever a broad set of user intents are detected — this could increase how often the agent invokes the skill. This is a behavioral/UX concern rather than a privileged-credential concern.