Skillv1.0.1

ClawScan security

Smart Marketing Copy Cn · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 4, 2026, 6:22 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only skill that looks like a marketing/product listing rather than a runnable skill — it requests no credentials or installs, but the SKILL.md provides no runtime instructions or integration details, so it's underspecified and may be nonfunctional or incomplete.
Guidance: This package appears to be a product/marketing description rather than a runnable skill: it contains pricing and feature lists but no runtime instructions, API endpoints, or required credentials. That makes it likely nonfunctional or incomplete rather than malicious, but also means you shouldn't expect it to perform A/B tests or tracking out of the box. Before installing or using it: 1) Ask the publisher for a full SKILL.md describing runtime steps (what APIs/models are called, required env vars, URLs). 2) Verify a trustworthy homepage or source and check for a privacy/security policy. 3) If you install it, prefer not to grant secrets or elevated privileges until you see explicit, justified requirements. 4) If you need this capability now, prefer skills that declare clear integrations (API hosts, required tokens) and come from a verifiable publisher. If the author cannot provide concrete runtime details, treat the skill as incomplete and avoid relying on it for production workflows.

Purpose & Capability: noteName/description promise a marketing-copy generator with A/B testing and tracking, but the SKILL.md only contains metadata and pricing tiers; there are no declared integrations, APIs, or commands. The declared purpose is plausible, but the skill does not include the capabilities (instructions or credentials) needed to realize it.
Instruction Scope: concernSKILL.md contains only descriptive metadata and pricing — it does not provide any runtime instructions (how to generate copy, what model or API to call, how to perform A/B tests or tracking). The instructions are effectively missing/ambiguous, which grants the agent broad discretion or leaves the skill nonfunctional.
Install Mechanism: okNo install spec and no code files. Lowest-risk delivery (instruction-only) — nothing will be written to disk by an installer.
Credentials: okThe skill requests no environment variables, credentials, or config paths, which is proportionate given there are no integrations declared. Lack of requested secrets reduces exfiltration risk but also means the skill currently lacks integration capability.
Persistence & Privilege: okalways is false and default agent invocation is allowed. Nothing requests elevated or persistent privileges; no indications the skill modifies other skills or system settings.