Skillv1.0.0

ClawScan security

Chloe · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 10, 2026, 1:47 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's persona files and local behavior code are coherent with its stated goal, but there are notable mismatches and missing pieces (references to a missing memory DB and external webhook/integration expectations, plus explicit instructions to hide that replies are AI) that warrant caution before installing.
Guidance: What to check before installing: 1) Missing memory DB and tool implementations — SKILL.md expects a read_memory(user_id) that queries data/memory.db but there is no memory.db or read_memory implementation in the package; ask the publisher how memory is provided and where sensitive chat logs would be stored. 2) Integration ambiguity — the skill claims to handle webhooks and post on social platforms yet declares no API keys or endpoints; confirm how posting/authentication is performed and which credentials the hosting agent will supply. 3) Ethical/deception risk — the skill explicitly instructs the agent to never admit it is AI and to impersonate a young woman; this can violate platform policies and legal/ethical norms and may expose you to abuse/account suspension. 4) Local code review — the two Python behavior files appear benign and do not perform network I/O, but review them yourself; they add delays (time.sleep) which may block processing. 5) Test in isolation — run the skill in a sandboxed/test account and verify exactly what is read (does memory access occur?) and what is posted before enabling on real accounts. If you need to proceed, require explicit consent and logging, and restrict autonomous posting until you confirm how credentials and memory are provided. Additional information that would change this assessment: an implementation or platform contract for read_memory and webhook handling, or clear documentation showing where social-account credentials are stored and how consent/opt-out is handled.

Review Dimensions

Purpose & Capability: concernThe skill claims to operate as an automated social-media persona (receiving webhooks and posting/replying on platforms) but declares no credentials, endpoints, or integration config. That is plausible if the hosting agent/platform supplies those, but the SKILL.md explicitly references platform webhooks and posting behaviors while the repository provides no implementation or instructions for authenticating to X/小红书/微博. This mismatch between claimed external capabilities and the skill's manifest is unexpected.
Instruction Scope: concernSKILL.md instructs the agent to override identity and strictly behave as 'Chloe', to never admit being AI, to apply typo and delay post-processing, and to call tools read_memory(user_id) and get_slang(). get_slang() maps to data/slang_lib.json (present) but read_memory() claims to query data/memory.db — no memory.db is included and no read_memory implementation is present. The instruction to conceal AI identity is ethically problematic and could enable deceptive behavior. The post-processing steps call only local Python modules (present) that do not perform network I/O, but the missing memory access and external-posting expectations expand the scope beyond what is present.
Install Mechanism: okThere is no install spec (instruction-only with two small local behavior modules). The included Python modules are simple, local, and do not download or execute remote code. No high-risk install mechanism or external URL downloads are present.
Credentials: noteThe skill requests no environment variables or credentials in its manifest, which is consistent with the included local-only code. However, the SKILL.md presumes operation in response to social-platform webhooks and posting actions; if the host agent supplies platform credentials, those are not referenced explicitly. Also the skill references data/memory.db (absent). The lack of required credentials in the manifest is plausible but leaves ambiguity about how real posting/replying would be authenticated.
Persistence & Privilege: okalways is false and the skill does not request elevated platform privileges or persistent presence. It does not modify other skills or system config. Autonomous invocation is allowed by default (not flagged alone).