Skillv1.0.0

ClawScan security

视频封面设计助手 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 2:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requirements are consistent with a local, offline video-cover design helper — it contains only template logic and no network, credential, or unusual install behavior.
Guidance: This skill appears coherent and local-only: it generates titles, layouts and color palettes using templates and randomness, and does not access the network or any secrets. If you plan to install it: (1) review the bundled script if you allow the agent to execute local code (it contains only template logic and a minor bug), (2) avoid granting it any unrelated credentials, and (3) if you enable autonomous invocation for agents, be aware it can run whenever eligible — that is normal but worth noting for any skill that executes code.

Review Dimensions

Purpose & Capability: okName/description (video cover design) match the included assets: SKILL.md describes generating copy, layouts, palettes and platform guidance, and the bundled Python implements exactly those features. No unrelated services, binaries, or credentials are requested.
Instruction Scope: noteSKILL.md stays within the stated scope (extract copy, suggest layouts, palettes, and platform adaptations). The included Python script implements the same logic and does not instruct reading user files, environment variables, or sending data externally. Note: SKILL.md does not explicitly instruct the agent to run the bundled script; the script is purely local. Also the script has a minor coding bug: generate_composition references platform_config which is not defined in that function scope (functional issue, not a security concern).
Install Mechanism: okNo install spec is provided and no external downloads or package installs are required. The skill is instruction/code-only and will not write or execute external code from remote URLs.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The code does not access os.environ or other secrets; all data is generated from inputs and static templates — credential requests would be disproportionate but none are present.
Persistence & Privilege: okThe skill is not always-on and does not request persistent/privileged presence. It does not modify other skills or system-wide configuration.