Back to skill
Skillv1.0.1
ClawScan security
AI Prompt Researcher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 1, 2026, 7:21 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and instructions are coherent with its stated purpose (generating and clustering AI-search prompts) and it does not request credentials or perform networked actions in the included code, but the runtime docs reference additional scripts that are not present.
- Guidance
- This skill appears to do what it says: generate and cluster prompt lists and output a markdown report. Before installing, note that SKILL.md mentions extra scripts (competitor_prompts.py, trending_prompts.py, monitor_prompts.py) that are not included — ask the publisher whether those tools are intentionally omitted or will be added. Also consider: the shipped Python script is local and does not call external services or require credentials, but if missing monitoring scripts are later added they might contact external endpoints — review any added scripts for network calls or API keys. If you plan to run the script, run it in a controlled environment and inspect any new files before giving it broader privileges.
Review Dimensions
- Purpose & Capability
- okThe name/description (AI prompt research) aligns with the included assets: SKILL.md, a prompt-generation Python script, and extensive reference docs and templates. The Python code produces prompt lists, clusters, and a markdown report — exactly what the skill claims to do.
- Instruction Scope
- noteSKILL.md gives concrete instructions and expects the agent to collect brand/category/audience input and run provided scripts. However, the documentation and examples reference additional scripts (scripts/competitor_prompts.py, scripts/trending_prompts.py, scripts/monitor_prompts.py) that are not present in the file manifest. That mismatch is an inconsistency: the instructions advertise functionality that is not shipped. Otherwise, the instructions do not ask the agent to read unrelated system files or access secrets.
- Install Mechanism
- okNo install spec is declared (instruction-only + one included script). Nothing is downloaded or written by an install step. The included Python script uses only standard library imports (argparse, json, sys, datetime) and does not pull remote code at install time.
- Credentials
- okThe skill declares no required environment variables, no credentials, and no config paths. The provided code likewise does not reference any environment variables or secret material. The level of access requested is proportional to the stated purpose.
- Persistence & Privilege
- okFlags show always:false and default autonomous invocation allowed (normal). The skill does not request permanent system presence or attempt to modify other skills or system-wide settings in the shipped files.