Skillv1.1.0

ClawScan security

Newspaper Brief · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 7, 2026, 4:38 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with its stated purpose: it extracts/structures text and renders a local HTML/PNG newspaper-style long image, and it does not request unrelated credentials or network installs.
Guidance: This skill appears to be what it says: a local renderer that turns structured or extracted text into a newspaper-style HTML/PNG. Before using: (1) be aware the agent (or you) will process any text you supply to produce highlights/sections — do not supply secrets you don't want rendered into files; (2) the script will try to invoke a local Chrome/Edge for headless screenshots and will write output files (e.g., output/newspaper-brief/demo.*) to disk, so ensure the runtime environment has a browser or accept only HTML output; (3) no network exfiltration or external endpoints are present in the code, but always inspect generated HTML/PNG before sharing publicly. If you need higher assurance, run the script in a sandboxed environment or review the full script locally (it is included).

Purpose & Capability: okName/description (newspaper-style mobile long images) match the included SKILL.md and the render_newspaper.py script. The script and example JSON are exactly what a formatter/renderer would need; no unrelated credentials, binaries, or cloud access are requested.
Instruction Scope: okSKILL.md instructs the agent to extract key points from user-provided text (or accept pre-made summaries) and then run the provided script to produce HTML/PNG. The instructions reference only local files and a local browser for headless screenshots. There are no directives to read unrelated system files, send data to external endpoints, or collect additional secrets.
Install Mechanism: okNo install spec is present (instruction-only skill with a helper script). The script is pure Python and uses standard libs plus optional Pillow; it does not download arbitrary archives or run network installs. This is a low-risk install posture.
Credentials: okThe skill requires no environment variables, credentials, or config paths. The script attempts to locate local Edge/Chrome executables (common for converting HTML to PNG) and can use Pillow if available; this is proportional to rendering functionality and does not imply access to unrelated secrets.
Persistence & Privilege: okFlags show always:false and normal user-invocable/autonomous settings. The skill does not request persistent or elevated system privileges, nor does it modify other skills or system-wide configs.