Skillv1.0.2

ClawScan security

Memelord · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 11:01 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill’s files, required binaries, and runtime instructions match its stated purpose (calling memelord.com APIs to generate/edit memes); nothing in the bundle appears to try to do unrelated or hidden actions, though there are a few modest hygiene issues you should be aware of.
Guidance: This skill appears to do what it says: call memelord.com APIs to create/edit memes and download results. If you install it, only provide the MEMELORD_API_KEY it requests and avoid putting other unrelated secrets into the same .env file because _env.sh exports everything it finds. When using webhooks, prefer ephemeral or dedicated webhook endpoints and avoid passing secrets on shared command lines or logs. If you need higher assurance, inspect the scripts yourself and run them in a restricted workspace/container before giving them network access to your main environment.

Review Dimensions

Purpose & Capability: okName/description, declared binaries (node, curl, realpath), and required env (MEMELORD_API_KEY) line up with the included scripts, which make HTTP requests to https://www.memelord.com API endpoints and download media. The requested capabilities are proportional to meme/image/video generation.
Instruction Scope: noteSKILL.md and the scripts stick to generating, editing, polling, downloading, and verifying webhook payloads for memelord.com. They do source a local .env file and write files into outputs/; the README suggests a /root path in an example (odd in multi-user environments) but this is just an example. The scripts accept webhook URL/secret parameters; using webhooks means you will expose an external callback surface if you supply a public webhook URL.
Install Mechanism: okNo install spec — the skill is delivered as runnable shell/node scripts and assumes node/curl/realpath are present. Nothing is downloaded from arbitrary URLs during install; files are plain-text and readable.
Credentials: noteThe skill declares a single required secret (MEMELORD_API_KEY), which is appropriate. However _env.sh auto-sources and export-s everything from a local .env file: that means if you put additional unrelated secrets in .env they will be exported into the skill's process environment and any child processes. Also several scripts accept webhook secrets as CLI args — be careful not to expose secrets in logs or shared command histories.
Persistence & Privilege: okalways is false and the skill does not request any elevated or persistent platform privileges. It does not modify other skills or system config. Runtime behavior is limited to making HTTP requests and writing to the local workspace.