Skillv1.0.0

ClawScan security

Brainhole Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 2, 2026, 6:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only, creative "what if / parallel universe" generator whose declared requirements and runtime instructions are consistent with its stated purpose and do not request unrelated credentials or installs.
Guidance: This skill is internally coherent and low-risk from a resource/credential perspective — it only contains instructions for generating creative text and image prompts. Before installing, consider: (1) moderation: the generator can produce edgy or offensive content if prompted, so ensure your agent enforces content-safety policies; (2) image workflows: if you plan to automatically send generated prompts to an image service, that integration will require separate credentials and review; (3) trigger tuning: the listed trigger phrases are broad and could activate unintentionally—adjust trigger logic if you want narrower activation. If you want extra safety, add explicit policy checks (no hate speech, explicit content filters) to the agent flow.

Purpose & Capability: okThe skill name, description, triggers, and required outputs all match a creative 'what if' / parallel-universe generator. It does not ask for unrelated binaries, environment variables, or cloud credentials that would be out of scope for this purpose.
Instruction Scope: okSKILL.md gives precise, constrained runtime instructions (extract theme, produce five specific output sections, follow example format). It does not instruct the agent to read files, access system paths, or transmit user data to external endpoints. It does suggest generating prompts for third-party image tools (Grok Imagine / Flux / Midjourney), but only as text output — it does not require or attempt to use image service credentials.
Install Mechanism: okNo install spec and no code files are present (instruction-only). This is the lowest-risk model: nothing is written to disk or fetched automatically during install.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Mentions of external image services are only for prompt formatting and are not accompanied by any credential requests.
Persistence & Privilege: okalways:false (default) and no special persistence or modifications to other skills are requested. disable-model-invocation is false (normal); autonomous invocation alone is expected and not problematic here.