Skillv1.0.0

ClawScan security

Cn Text Summary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 1:07 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The code is a simple Chinese text summarizer and broadly matches the claimed purpose, but the runtime instructions (filenames, flags, and interactive behavior) do not match the included script, which is an incoherence you should resolve before trusting the skill.
Guidance: Key things to consider before installing: (1) The documentation and the script disagree — SKILL.md references 'cn_text_summary.py', interactive stdin usage, and flags like --keywords and length aliases; the actual script is scripts/text_summary.py, requires the text as the first CLI argument, supports only -l/--length with an integer, and lacks a --keywords flag. Either the docs or the script should be corrected. (2) The script has no network calls or secret access, so it does not appear to exfiltrate data, but you should still review or run it in a sandbox before allowing automatic invocation. (3) If you expect interactive behavior (pasting long text) or friendly flags (short/medium/long), ask the author to fix the CLI or update SKILL.md. (4) If you will install widely or let agents invoke autonomously, prefer a version that: a) matches its documentation, b) accepts stdin or files for long inputs, and c) validates/limits input size. If you cannot verify the fix, treat the skill with caution and avoid granting it autonomous runs in sensitive environments.

Review Dimensions

Purpose & Capability: noteThe included Python script implements extraction of key sentences, a simple summarizer, and keyword extraction (using jieba if available) — this aligns with the skill description. However, the SKILL.md usage examples reference a different filename (cn_text_summary.py) and suggest interactive/paste input and flags (--keywords, --length short/medium/long) that the script does not implement as documented.
Instruction Scope: concernSKILL.md instructs running 'python3 cn_text_summary.py' with flags like --keywords and length modes (short/medium/long) and describes interactive input, but the actual script is at scripts/text_summary.py, expects the text as sys.argv[1] (not stdin), only parses -l/--length followed by an integer, and does not implement a --keywords flag or length aliases. Following the docs will produce errors or unexpected behavior.
Install Mechanism: okNo install spec is provided and the code has no network access or external installers. The only dependency is optional 'jieba' for better Chinese keyword extraction; that is reasonable and proportional.
Credentials: okThe skill requests no environment variables, credentials, or config paths. The script reads only command-line arguments and has no network, file-system reads beyond argv, or environment access — this is proportional to a summarizer.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent presence. It does not modify other skills or system configuration.