Skillv1.0.1

ClawScan security

Article Taster · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 9, 2026, 1:46 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are consistent with an article-quality analyzer: it reads article text, scores it, and produces reports; it does not request credentials or network access and its Python dependencies are proportional to the task.
Guidance: This skill appears to do exactly what it claims: local analysis of article text and AI/originality heuristics. Before installing or running it: 1) ensure you run it in an environment with Python and the requirements (jieba, scikit-learn, numpy) or install them yourself; 2) only pass article texts you are comfortable having processed locally (the tool reads files you give it); 3) if you need network-isolated execution, run it offline — the code shown does not perform network calls, but you should verify the omitted files if you have concerns; 4) expect some heuristics and false positives in AI-detection (the code uses simplified heuristics rather than a full language-model perplexity), so treat results as guidance, not definitive proof of authorship.

Review Dimensions

Purpose & Capability: okName/description (article quality/AI-detection/originality) match the included modules: classifier, analyzers, AI detector, scorer, and report generator. Declared runtime needs (none) are minimal; the requirements.txt (jieba, scikit-learn, numpy) are appropriate for Chinese text analysis and NLP features the skill implements.
Instruction Scope: okSKILL.md and main.py limit operations to analyzing provided text, optional file input, and batch directory processing. Instructions do not ask the agent to read unrelated system files, secrets, or to transmit data to external endpoints. The only file I/O is reading user-supplied article files (via --file or --dir), which is expected behavior for this tool.
Install Mechanism: noteNo install specification is provided even though the skill includes Python modules and a requirements.txt. This is not a security risk by itself, but it means dependencies won't be automatically installed; a runtime environment must provide Python and the listed packages. There are no downloads or remote installers in the manifest.
Credentials: okThe skill requests no environment variables, no credentials, and does not reference system config paths. All environment/credential access is absent, which is proportionate for a local text-analysis tool.
Persistence & Privilege: okSkill is not marked always:true and does not request persistent or elevated privileges. The code operates on inputs it is given and generates reports; it does not modify other skills or global agent configuration.