Skillv1.0.0

ClawScan security

product-expert-review · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 17, 2026, 2:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, scope, and requirements are internally consistent with its stated purpose (producing product experience reviews); it asks the agent to use browsing, search, and image inspection tools and does not request unrelated credentials or installs.
Guidance: This skill appears coherent and safe to install from a packaging/requirement perspective. Before using it, confirm that your agent environment provides the browsing, web_search, and image-inspection tools the skill expects. Be cautious about sending URLs or screenshots that contain sensitive or proprietary data (the skill will instruct the agent to inspect and possibly summarize that content). If you intend to use the Feishu upload feature, verify how your platform supplies Feishu credentials and only provide them through a secure, explicit authorization flow; the SKILL.md does not declare or justify any credential access. If you need stronger privacy guarantees, ask the skill (or platform) to redact sensitive fields before analysis.

Review Dimensions

Purpose & Capability: okThe name/description (product experience reviews) align with the SKILL.md workflow: inspect URL/screenshots, gather external context, analyze 10 UX dimensions, and produce a structured report. The skill does not request unrelated binaries, creds, or system paths.
Instruction Scope: noteInstructions explicitly tell the agent to use browser, web_search, and image tools to collect evidence and (optionally) upload reports to Feishu. This is appropriate for the task, but the SKILL.md assumes availability of those platform tools. It also instructs the agent to inspect privacy/security pages and permission prompts — reasonable for product reviews but worth noting that examining user-supplied URLs/screenshots can surface sensitive data; the skill does not include guidance on sanitizing or redacting sensitive content.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk install surface. Nothing is downloaded or written to disk by the skill itself.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent with most parts of its workflow. One minor mismatch: it mentions optionally uploading the report to a Feishu doc but does not declare Feishu credentials or explain consent/authorization flows. That omission is a usability/clarity issue rather than a direct security contradiction.
Persistence & Privilege: okalways: false and normal agent invocation settings. The skill does not request persistent presence or elevated platform privileges.