Skillv1.0.0

ClawScan security

Smart Marketing Copy Cn Payment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 5, 2026, 11:19 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The file is a sales page asking users to pay a personal Alipay/QQ account to 'unlock' features but contains no runtime instructions, APIs, or credentials integration — this mismatch is incoherent and risky.
Guidance: This SKILL.md is basically a sales page that asks you to pay via a personal Alipay account or QQ to "unlock" features but contains no implementation, API integration, or runtime instructions—it's incoherent as an installable/usable skill. Before installing or using this skill: do not send money to the listed accounts; prefer skills that integrate with an official API or platform billing; ask the publisher for a demo, written API docs, and proof that paying will grant access inside the agent; verify the seller identity and reputation; check for platform-approved payment/subscription methods; and only proceed if the vendor provides verifiable, on-platform subscription mechanics. If you want this functionality safely, request a version that includes concrete runtime instructions (API endpoints, required env vars, or OAuth flow) and does not ask users to pay off-platform.

Purpose & Capability: concernThe skill claims to be a 'paid' intelligent marketing copy generator, but provides no APIs, auth, or implementation details. Instead it contains off-platform payment instructions (personal Alipay/QQ identifiers). There is no justification for how paying those accounts would enable functionality inside the skill.
Instruction Scope: concernSKILL.md is a marketing/payment page, not runtime instructions for an agent. It doesn't tell the agent how to generate copy, authenticate, or call any service; it only tells humans how to pay a personal account. This could cause the agent to prompt users to pay outside the platform or be used to social-engineer payments.
Install Mechanism: okNo install spec and no code files (instruction-only). That minimizes direct code-install risk, but also means there is nothing in the skill that actually implements the claimed functionality.
Credentials: okThe skill requests no environment variables, binaries, or config paths. However, it embeds external payment identifiers (Alipay account and QQ string) in the doc, which is a non-technical but relevant red flag for social-engineering or off-platform payments.
Persistence & Privilege: okalways is false and there is no indication the skill requests persistent system privileges or modifies other skills or config.