Skillv1.0.0

ClawScan security

design-analysis · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 1:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (scan a local image folder and produce an HTML presentation) and has no network or secret access, but the description overstates its analysis capabilities and the runtime will embed raw HTML/filenames which is a modest risk — review before use.
Guidance: This skill reads a local image folder and writes a single HTML presentation file; it does not call external networks or require credentials. Before installing or running it: 1) Understand it does not perform real image-vision analysis — its 'analysis' is template-driven based on filenames and timestamps. If you need true image content analysis, this skill does not provide that. 2) Be careful when passing sections[].content (HTML strings) or any untrusted inputs — they are embedded verbatim into the output HTML and could be used for malicious content when opened in a browser. 3) Run the provided install.sh/test locally first in a safe folder to observe behavior, and inspect generated HTML (and image paths) before sharing. 4) If you plan to let the agent invoke this skill autonomously, limit the input_folder/output_file to directories you control and avoid exposing sensitive files. If you want higher assurance, request the author add explicit image-content analysis code (e.g., a clear call to a vision library or model) or label the capability accurately.

Review Dimensions

Purpose & Capability: concernThe name/description promise '智能分析图片内容' (intelligent image content analysis). The implementation only scans filenames, modification times and inserts template text — there is no image-vision, OCR, or external model call. This is an overclaim: the required files and code are otherwise consistent with generating HTML from local images, but the advertised 'intelligent analysis' is not present in the code.
Instruction Scope: noteSKILL.md and run.js direct the agent to read a local input folder and write an output HTML file — which the code does. However, the skill accepts sections[].content as raw HTML and writes it directly into the generated file without sanitization; that means untrusted or injected HTML could cause unsafe content when the resulting HTML is opened (local XSS/phishing risk). run.js also logs the entire params object (including any context) to stdout.
Install Mechanism: okNo install spec is provided and the included install.sh only performs local checks and optional test runs. There are no remote downloads, package installations, or extract-from-URL steps. This is low-risk from an install-mechanism perspective.
Credentials: okThe skill requests no environment variables, no credentials, and package.json declares only file access capabilities (read/write/scan), which match the described purpose. There are no unrelated secrets or network permissions requested.
Persistence & Privilege: okalways:false and no mechanism to persist or modify other skills or system configuration. The skill reads/writes only the input/output paths provided; autonomous invocation is allowed by default but not combined with other high-risk capabilities.