Skillv1.0.0

ClawScan security

表情包生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 4:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its description: it creates local meme images (text overlay) and optionally fetches AI-generated images from Pollinations; it requests no secrets and has no surprising install steps.
Guidance: This skill appears coherent and implements what it says: local text-based meme generation and optional AI images fetched from Pollinations. Practical points to consider before installing: (1) AI mode sends whatever you type as the prompt to image.pollinations.ai — do not include sensitive or private information in prompts. (2) You will need to install Pillow and requests from pip; install packages from trusted sources. (3) The script reads system font files to render Chinese text; that is normal but means it may fall back to a default font if none are available. (4) If you are concerned about network calls, use the text mode only (no external requests) or run the script in a network-restricted sandbox. (5) You can review the included script file (cn_meme_generator.py) yourself — it is short and easy to audit and contains no obfuscated or hidden endpoints beyond Pollinations.

Purpose & Capability: okName/description promise text-overlay and AI modes. The included Python script implements both: local image drawing using Pillow and an HTTP GET to Pollinations for AI images. Required libraries (Pillow, requests) are appropriate and proportional.
Instruction Scope: okSKILL.md instructs running the provided script with text or prompt. The script only reads system font files (to render text), writes an output PNG, and in AI mode performs a single GET request to image.pollinations.ai. It does not read unrelated user files, environment secrets, or transmit arbitrary local data.
Install Mechanism: noteThere is no install spec (instruction-only style) but a code file is packaged. That code requires standard Python packages (Pillow, requests). No downloads from unknown hosts or archive extraction occur during install. You should still install dependencies from trusted package sources (pip).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The runtime code likewise does not access or require secrets. This is proportionate to a meme generator.
Persistence & Privilege: okalways is false and the skill does not request persistent system-level presence or modify other skills/configuration. Autonomous invocation remains possible (platform default) but is not combined with broad privileges here.