Skillv1.0.1

ClawScan security

Shorts Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 7:51 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly implements a local story-generation pipeline, but there are multiple internal inconsistencies (docs vs code, claimed API vs local storage, retry limits, and an instruction-only claim despite included code files) that you should understand before installing.
Guidance: This package generally implements a local story-generation pipeline and is not obviously malicious, but there are several mismatches you should review before installing: - Naming and manifest mismatches: the registry name ('Shorts Builder') and the SKILL.md/internal module name differ; the registry says "instruction-only" but the package contains runnable Python code. Treat this as a signal to verify origin. - Docs vs code inconsistencies: SKILL.md mentions a remote Graph API and a 3-retry limit for AI review, but the code uses local JSON files for graph storage and allows unlimited AI retries. If you rely on the 3-retry limit or remote storage, update/verify the implementation. - Data persistence: generated content and all pipeline state are written to data/pipeline_state.json and data/graphs/*.json. These files may contain any text you or users include. If that is sensitive, run the skill in an isolated environment or configure storage/retention policies. - Exposure to LLM provider: the AI-review prompts include full episode content and graph data — the agent will send those to whichever LLM it uses. If you have confidentiality concerns, avoid sending private data or run using a private model. Recommendations before enabling/installing: - Inspect the code locally (you already have it) and search for any network calls (requests, socket, urllib, etc.). The provided files show no obvious remote HTTP calls, but double-check for dynamically imported modules or later changes. - Run the skill in a sandboxed agent or VM to observe file writes and outbound network activity. - If you need the 3-retry limit or remote graph storage, update the pipeline.py/graph_manager implementations accordingly. - If you are concerned about persistent storage of story content, either relocate data/ to an encrypted or temporary directory or add a data-retention/auto-delete feature. If you want, I can produce a short checklist or specific code edits to enforce a retry limit, disable disk persistence, or log all outbound requests for safer operation.

Review Dimensions

Purpose & Capability: concernThe skill's declared name ('Shorts Builder') and the SKILL.md top-name ('story-pipeline') differ from the repository contents, which implement a story generation pipeline — this is probably just naming drift but is an inconsistency. SKILL.md and some documentation state the graph is accessed via a remote API, yet the included graph_manager implementation uses local JSON files under data/graphs. The registry says "instruction-only"/no install spec, but multiple Python modules are bundled. These mismatches are not clearly malicious but are incoherent and warrant scrutiny.
Instruction Scope: noteThe runtime instructions and code are consistent about reading/writing pipeline_state.json and graph JSON files and about sending prompts to an LLM for generation and review. However, SKILL.md's prose claims an AI retry limit of 3 tries while the pipeline implementation allows unlimited AI retries; the SKILL.md also mentions "call remote API" for graph queries while the code is purely local. Important: the AI review prompts include full episode content and graph data, so story content is sent to whatever LLM/review system the agent uses — this may expose sensitive or private text.
Install Mechanism: noteNo install spec is declared (lowest install risk), but executable Python modules are bundled with the skill. There are no downloads or external install steps in the manifest. Presence of code files without an install spec is unusual but not inherently dangerous; it means the agent will run local code shipped with the skill.
Credentials: okThe skill requests no environment variables or external credentials and the code does not read env vars. This is proportionate to a local story pipeline. One caveat: the skill will generate prompts that include story content and graph state which will be sent to the agent's LLM/AI provider — that is expected but may leak content to external model providers.
Persistence & Privilege: concernThe code persistently writes and deletes files under data/ (pipeline_state.json and data/graphs/*.json). This is expected for a stateful pipeline, but it means generated content and any user-supplied text are stored on disk indefinitely unless deleted. The skill also supports delete_graph which removes files. While not excessive for this purpose, users should be aware of on-disk persistence and ensure storage location and retention are acceptable.