Skillv1.0.0

ClawScan security

Coffee Chat Playbook Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 1:27 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested tools and instructions are consistent with generating personalized coffee-chat playbooks; required tokens and steps map to the described functionality and there is no unexpected credential or install demand.
Guidance: This skill appears to do what it says, but consider these practical points before installing: - Apify/Notion tokens: The skill suggests using APIFY_API_TOKEN (for scraping) and NOTION_API_KEY (optional). Only supply tokens you control, and avoid storing them in plaintext shell profiles if you can (use a secrets manager or session-based export instead). - Scraping and ToS: The skill recommends scraping LinkedIn/X content. Confirm you have the right to scrape target pages and understand any terms-of-service or legal risks for scraping those sites. - Privacy of targets: The skill gathers public online signals about people. Be mindful of privacy and ethics when collecting or storing others' data. - External integrations: If you enable Notion pushes, grant the Notion integration the minimum scopes and review what will be written to your workspace before enabling automation. - memory/my-profile.md: The agent will read this local profile file for personalization. Do not include sensitive secrets (passwords, private keys) in that file. If you want stronger safety, avoid persisting credentials in shell profiles, restrict Notion integration scopes, and only run Apify commands manually when needed.

Review Dimensions

Purpose & Capability: okName/description align with the instructions: it collects a target name/LinkedIn URL, performs web/company/X research, optionally scrapes X via Apify and can push results to Notion. The only external tools referenced (Apify, Notion, web search/fetch) are relevant to the stated purpose.
Instruction Scope: noteInstructions are largely scoped to research and playbook generation. They instruct the agent to read memory/my-profile.md (expected) and to run Apify commands for X scraping. Minor scope notes: the README suggests persisting NOTION_API_KEY to ~/.zshrc (encourages storing a secret on disk) and scraping LinkedIn/X which could raise legal/ToS concerns but is within the skill's research purpose.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files. It suggests installing apify-cli via npm if the user wants X scraping; that suggestion is proportional and uses a standard package source (npm).
Credentials: noteOptional credentials mentioned (APIFY_API_TOKEN for Apify scraping, NOTION_API_KEY for Notion pushes) are appropriate and relevant. The skill does not request unrelated credentials. Caution: instructions recommend adding NOTION_API_KEY to shell profile, which risks long-lived plaintext storage of a secret; Notion page ID handling is manual and expected.
Persistence & Privilege: okSkill is not always-enabled and does not request elevated system privileges or modify other skills. It expects the agent to read an application-local memory file (memory/my-profile.md), which is consistent with generating personalized playbooks.