Skillv1.0.0

ClawScan security

Content Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 9:24 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions match its description — it generates platform-specific marketing copy and does not request credentials, install third-party software, or contact external endpoints.
Guidance: This skill appears internally consistent and low-risk from a security perspective: it only generates text locally and does not request secrets or fetch external code. Before installing, consider these practical points: 1) Origin: the skill has no homepage and an unknown owner — if you require provenance, ask the publisher for more info. 2) Privacy: avoid pasting personal data or customer PII into prompts, since generated output will include whatever you provide. 3) Compliance/accuracy: marketing copy can imply product claims — review outputs for factual accuracy and legal/compliance issues (medical/health/claims, endorsements, copyright). 4) Behavior: the code is simple and readable, but if you plan to run at scale or integrate into automation, audit how the agent supplies product data (to avoid leaking sensitive internal info). If you want a deeper review, provide the runtime environment (how the skill is loaded/executed) so I can check for any platform-specific execution or sandboxing concerns.

Purpose & Capability: okThe name/description (multi-platform shopping/recommendation copy) align with the included index.js implementation: templates and generators for 小红书, 抖音, 朋友圈, 知乎. There are no unrelated dependencies, binaries, or environment variables requested.
Instruction Scope: okSKILL.md contains only usage examples for generating text and does not instruct the agent to read arbitrary files, access system configuration, or transmit data to external endpoints. The runtime code likewise performs only in-memory text generation.
Install Mechanism: okNo install spec is provided (instruction-only at registry level). A single small index.js file is included, but there is no download/extract/install step and no references to third-party install sources, so no on-install code-fetch risk is present.
Credentials: okThe skill declares no required environment variables or credentials and the code does not reference process.env or other secrets. There is no disproportionate credential access.
Persistence & Privilege: okalways is false and the skill is user-invocable. The skill does not attempt to modify other skills or system-wide settings; it simply exports a ContentGenerator class for producing text.