Skillv1.0.0

ClawScan security

Account Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 2:54 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to analyze social media accounts but provides no code or install, references non-existent scrapers and a missing analyze.py — the pieces don't add up and could hide risky behavior if completed later.
Guidance: This skill is incomplete and inconsistent: it promises analysis but contains no code, no install steps, and no declared credentials. Before installing or enabling it, ask the publisher for: (1) the full source code or a canonical repo/release, (2) an install spec or requirements.txt, (3) explicit details about which platforms are supported and whether account credentials are required, and (4) a privacy/data-use statement describing what account data is collected, stored, or transmitted. Do not provide personal account tokens or passwords until you can review the code and confirm network endpoints. If you must test it, run it in a sandboxed environment and monitor outbound network traffic. Because the package origin is unknown and owner/homepage are missing, treat it as untrusted until you can validate its implementation and provenance.

Review Dimensions

Purpose & Capability: concernThe name/description (social media account analysis) matches the listed capabilities, but the skill declares no code, no install, and no required credentials. The SKILL.md references a local script (skills/account-analyzer/analyze.py) and unspecified 'Platform scrapers' that are not present — this is inconsistent with the claimed functionality. A legitimate analyzer would either include code, point to a repo, or declare required platform credentials and installer steps.
Instruction Scope: concernThe runtime instructions tell the agent to run a local Python script that is not included in the package. 'Platform scrapers' are listed as a dependency but not detailed; scraping social platforms can require network access, authentication, or cookies and may collect sensitive data. The SKILL.md gives the agent broad license to use scrapers without specifying which platforms, what data is collected, or what credentials are needed.
Install Mechanism: noteThere is no install specification (instruction-only), which minimizes immediate disk/write risk. However, because dependencies include vague 'Platform scrapers' and a non-existent analyze.py, the absence of an install step is more likely a sign of an incomplete or placeholder skill than a safe, self-contained implementation.
Credentials: concernNo environment variables or credentials are declared despite the likely need for platform tokens or session cookies for many social networks (especially closed platforms like xiaohongshu). Either the skill expects unauthenticated public scraping (not always possible) or it is omitting necessary secret requirements — both are problematic. Declared Python deps (requests, pandas, matplotlib) are reasonable, but 'Platform scrapers' is too vague to judge.
Persistence & Privilege: okThe skill does not request always: true and does not assert extra privileges. Autonomous invocation is allowed (platform default), which is normal. There is no evidence it would modify other skills or system-wide settings.