Skillv1.0.0

ClawScan security

Social Media Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:38 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated social‑media content and scheduling purpose, but metadata inconsistencies (author/version/owner) and included executable scripts with no clear provenance merit a cautious review before installing or providing credentials.
Guidance: This skill appears to implement the social media functions it claims (content generation, hashtag research, calendar planning) and contains only local Python scripts and documentation. However, there are small provenance inconsistencies you should check before installing: SKILL.md metadata (author 'Xiao Xing' and version 2.0.0) does not match the registry metadata (owner slug and version 1.0.0). That can indicate the package was repackaged or edited by someone else. Recommended actions before installing: 1) Review the included Python scripts yourself (or have a developer do so) to confirm there are no hidden network calls or credential-usage paths. 2) If you plan to enable automatic posting, require clear code that integrates with platform APIs and only provide API keys after code review; never paste credentials into prompts. 3) Ask the publisher for source repository, license, and author attribution to confirm provenance. 4) If you run the scripts, do so in an isolated environment (container or VM) until you are comfortable with their behavior. If you expect automatic posting features, be aware this bundle currently lacks OAuth/API integrations — adding those will require additional code and credentials, so treat that step as a separate security review.

Review Dimensions

Purpose & Capability: okName/description (social media content, scheduling, hashtags, analytics) align with the included files: content generation, hashtag tool, calendar planner, and post generator. There are no requests for unrelated services or secrets in the manifest.
Instruction Scope: okSKILL.md contains prompts and platform guidance only (no instructions to read unrelated system files or exfiltrate data). The runtime instructions are limited to content-generation prompts and best practices; they do not instruct network calls or credential usage. The included scripts implement local generation and calendar logic and do not reference external endpoints or unexpected file paths.
Install Mechanism: okNo install spec is present (instruction-only in terms of install), and no downloads or package installs are requested. The code files are pure Python scripts included in the bundle; nothing is fetched from external URLs during install.
Credentials: okThe skill declares no required environment variables, credentials, or config paths; the code likewise does not access environment variables or secrets. This is proportionate to a content-generation/scheduling utility, but note that the skill also lacks any built-in API integrations for posting — so it will not post to platforms without additional credentials/code.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills or global agent settings, and contains no autonomous persistent components. It will not run persistently or gain elevated platform privileges based on the manifest.