Skillv1.0.0

ClawScan security

Multimodal Asset Tagger · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 28, 2026, 8:02 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is generally coherent with its stated purpose (generating AI-friendly metadata for assets) and contains only a small local script, but the documentation over-promises features (schema markup, scoring, multi-format outputs) that the included code does not implement.
Guidance: This skill appears harmless and consistent with generating simple alt text/filenames, but the documentation over-promises features the code doesn't implement (schema markup, scoring, video/audio support). Before installing: (1) verify the source or owner if you require provenance; (2) review and run the small Python script in a sandbox/local environment—it only prints an alt text and a filename; (3) if you need Schema markup, scoring, or video/audio handling, plan to extend the code or use a different tool; (4) avoid supplying secrets or connecting it to production systems until you expand and test its functionality.

Purpose & Capability: noteThe name and description (generate alt text, filenames, captions, and Schema markup for images, video, audio) align with the provided SKILL.md guidance. However, the only executable code (scripts/optimize_asset.py) only produces simple Alt Text and a filename for images; it does not produce Schema markup, discoverability scores, or explicit support for video/audio. This is an over-promise vs. actual capability.
Instruction Scope: noteSKILL.md instructs running the bundled Python script and contains methodology and templates. The runtime instructions do not request any secrets, system files, or network endpoints. They do, however, instruct generation of outputs (Schema, scores) that are not produced by the script, so following the SKILL.md may give a false expectation of behavior.
Install Mechanism: okNo install spec is provided (instruction-only). The included Python script is small, pure local code, and there are no external downloads, package installs, or archive extraction steps.
Credentials: okThe skill requests no environment variables, no credentials, and references no config paths. The code does not access environment variables or external services, so requested privileges are minimal and proportionate.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent presence or modify agent/system configuration. It runs a local script when invoked and does not store credentials or alter other skills.