Skillv1.0.0

ClawScan security

OSINT Social Analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 1:06 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements align with its stated purpose (username OSINT via social-analyzer plus a small China-focused script); it does not request credentials or unusual privileges and performs only expected network lookups.
Guidance: This skill appears to do what it says: run social-analyzer and a small Chinese lookup script to query public profiles. Before installing or running: (1) Prefer creating a Python virtual environment rather than using pip with --break-system-packages; (2) review the social-analyzer package (its PyPI project and source repo) for supply-chain/trust concerns; (3) be aware the tool will make many automated HTTP requests (rate limits, CAPTCHAs, or IP blocks are possible), and ensure you have legal authorization to perform targeted investigations in your jurisdiction; (4) if you are uncomfortable with autonomous agents invoking this skill automatically, restrict invocation or require explicit user permission before running scans.

Review Dimensions

Purpose & Capability: okThe skill's name/description (username OSINT across 1000+ platforms) matches its contents: instructions to install and run the social-analyzer Python package, a shell wrapper, and a Chinese-platform Python script. Required binaries (python3, pip3) and included scripts are appropriate for the task.
Instruction Scope: noteSKILL.md directs the agent to install social-analyzer and run it (plus cn_lookup.py for Chinese platforms). The runtime instructions explicitly perform HTTP requests to public platform APIs and parse JSON; they do not attempt to read unrelated local files, system config, or environment variables. Note: SKILL.md advises the skill be used automatically for any username lookup; that trigger policy is broad but consistent with the described purpose.
Install Mechanism: noteNo packaged install spec is embedded; SKILL.md instructs users to pip3 install social-analyzer (from PyPI). Installing a third‑party package via pip is expected for a Python wrapper but carries the usual supply-chain risk. The documentation recommends the --break-system-packages flag (a system-level install flag) which is unnecessary and riskier than using a virtualenv; otherwise no downloads from unknown personal servers or shorteners are used.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. All network calls target public platform endpoints (e.g., Bilibili, Zhihu, Weibo) or rely on the social-analyzer package—this is proportionate to the stated functionality.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system-wide settings. It runs on demand and requires no elevated privileges; autonomous invocation is allowed but is the platform default and not combined with other concerning privileges.