Skillv1.0.0

ClawScan security

Crypto Content Crafter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 29, 2026, 9:14 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with its stated purpose (generating NFT/crypto marketing content); it asks for no credentials, performs no network or sensitive-system access, and its included script only formats text locally.
Guidance: This skill appears coherent and low-risk for local content generation: it only formats marketing copy from user-supplied inputs and does not access networks or secrets. Before installing/using: (1) review and run the included Python script locally in a safe environment (we inspected it — it just composes and prints text); (2) be cautious about publishing any generated content that asserts financial returns, staking/yield mechanics, governance rights, or contract addresses — verify those details yourself and avoid making legal/financial claims; (3) if you plan to augment the workflow by fetching market/floor-history data, ensure any network integrations are from trusted APIs and that you approve any credentials used; (4) do not paste private keys, wallet seeds, or other secrets into the interactive prompts or generated copy. If you want a deeper review (e.g., check for hidden network calls in a modified version or to add a publishing step), provide that code and we can re-evaluate.

Purpose & Capability: okName/description match the provided assets: templates, a small generation script, and usage docs. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteSKILL.md stays within scope (gather collection metadata and generate content). A tip to "include floor price history references" could encourage fetching external market data or making claims — the skill does not provide code to fetch such data, but users/agents should be careful to avoid unverified claims or unexpected network calls when following that tip.
Install Mechanism: okNo install spec; this is instruction-only with one bundled Python script. The script is self-contained, has no downloads or extract operations, and does not spawn network requests.
Credentials: okNo environment variables, credentials, or config paths are required. The skill does not request sensitive tokens or keys.
Persistence & Privilege: okalways is false, agent invocation rules are default, and the skill does not request persistent/system-wide privileges or modify other skills.