Skillv1.0.0

ClawScan security

social-media-caption-writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 19, 2026, 8:20 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (writing platform-specific captions) and request no credentials or installs, but the SKILL.md contains detected unicode control characters (a prompt-injection signal) and the source is unknown — this warrants caution before installing.
Guidance: This skill appears functionally coherent for generating social captions and asks for no credentials, which is good. However, the SKILL.md contains detected unicode control characters (a common prompt-injection technique) and the publisher/source is unknown. Before installing: (1) Inspect the raw SKILL.md for invisible characters or unexpected content (show hidden characters in your editor); (2) If your platform allows, run the skill in a safe, sandboxed context with non-sensitive sample inputs first; (3) Do not supply private credentials, secrets, or sensitive brand IP until you verify the publisher; (4) Ask the publisher for a canonical source/homepage or a signed release to increase trust. If you cannot confirm the SKILL.md contents or the publisher, avoid installing or restrict the skill to manual invocation only.
Findings: [unicode-control-chars] unexpected: Hidden/control unicode characters are not expected for a simple instruction-only caption writer. These characters are commonly used in prompt-injection attempts to obfuscate or alter instructions when text is parsed. The finding does not by itself prove malicious intent, but it increases risk and ambiguity.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions are coherent: the skill only describes generating social media captions, hashtags, emojis, CTAs, and posting-time advice. It does not request unrelated binaries, cloud credentials, or system access.
Instruction Scope: noteInstructions stay within the caption-writing task and do not ask the agent to read files, env vars, or external services. However, a pre-scan detected unicode-control-chars inside SKILL.md (an injection pattern). That could hide or change instructions when parsed by different systems; also 'Brand Voice Adaptation' wording implies learning across requests but no persistence/learning mechanism is specified.
Install Mechanism: okNo install spec and no code files — lowest-risk delivery model (instruction-only). Nothing is written to disk by an installer.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Required scope is proportionate to a caption generator.
Persistence & Privilege: okalways is false and the skill is user-invocable. The skill does not request persistent presence or system-wide config changes. Normal autonomous invocation is allowed by platform defaults but is not itself a new risk here.