Skillv1.0.5

ClawScan security

Hexo Blog with SEO · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 10:41 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions match its stated purpose (drafting, SEO-polishing, and deploying Hexo posts); nothing requested is disproportionate or unrelated.
Guidance: This skill appears coherent for managing a Hexo blog, but before installing/using it: 1) Ensure Node, npm/npx, and hexo are installed and updated; 2) Confirm and explicitly provide the correct local repo path when asked (the agent will need read/write access to that folder); 3) Make sure your Git credentials or deployment token are configured safely in your Git client or CI — the skill does not request these but will rely on them for `npx hexo deploy`; 4) Always require explicit confirmation before allowing the skill to remove `published: false` or run `hexo deploy` (the SKILL.md already specifies this); 5) Consider running the skill in draft/preview mode first (generate only) to inspect generated output and commit changes manually if you prefer to retain control. If you are uncomfortable granting an automated agent write access to your blog repo or enabling autonomous runs that could push, do not enable autonomous invocation or use the skill only interactively.

Review Dimensions

Purpose & Capability: okThe skill's name/description (Hexo blog drafting, SEO, deploy) align with its declared requirements: Node/npm/npx/hexo and local access to a Hexo repo. Asking for Git credentials or deploy tokens is expected for running `hexo deploy`.
Instruction Scope: okSKILL.md stays within the blog workflow: it instructs creating/editing Markdown, using a front-matter template, performing optional local preview (`npx hexo clean && npx hexo generate`), and only running `npx hexo deploy` after explicit user confirmation. It requires read/write access to the repo path — which is necessary for the task. There are no instructions to read unrelated files or exfiltrate data.
Install Mechanism: okThis is an instruction-only skill with no install spec or downloaded code. That minimizes filesystem/write risk; it relies on existing local binaries (node/npm/npx/hexo), which is appropriate for Hexo workflows.
Credentials: okThe skill declares no required environment variables and does not request secrets itself. It reasonably expects Git credentials or deploy tokens to be configured in the environment or Git client so `hexo deploy` can push. This is proportional to the deploy capability.
Persistence & Privilege: okThe skill is not force-enabled (always: false) and does not request system-wide persistence or modify other skills. It can be invoked autonomously per platform defaults, which is normal — but autonomous runs would have the ability to modify the local repo if granted file permissions, so operator caution is still warranted.