Skillv1.0.0

ClawScan security

短视频带货脚本生成器 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 7, 2026, 4:35 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only skill that generates short-video sales scripts and its declared requirements and instructions are coherent and proportionate to that purpose.
Guidance: This skill appears to do what it says: generate short-video sales scripts and filming guidance. Before installing or enabling it, consider: (1) If you will provide product links or images, confirm how your platform handles fetching or exposing those URLs/attachments — avoid sending sensitive or private data. (2) Review generated scripts for legal and platform-compliance (advertising laws, medical/health claims, platform forbidden content) before publishing. (3) Test with non-sensitive sample data to evaluate output quality and tone. (4) If you allow autonomous agent invocation broadly, be aware the agent could call this skill automatically — that is normal but verify any automation rules so it doesn't auto-post or auto-send generated content without human review.
Findings: [no-findings] expected: The regex-based scanner had no code files to analyze. This is expected for an instruction-only SKILL.md; absence of findings is not a guarantee of safety but is consistent with the skill's lack of shipped code.

Purpose & Capability: okThe skill's name and description (short-video sales script generator for Douyin/Kuaishou/etc.) match the SKILL.md instructions: templates, hooks, comment prompts, and storyboard/timestamped scripts. It does not request unrelated binaries, environment variables, or credentials.
Instruction Scope: noteSKILL.md stays within the stated purpose: generate scripts, styles, and filming guidance. It does not instruct reading system files or secret env vars. One minor note: the doc says it supports product links/images; it does not specify how those are fetched or processed. If the agent or platform is configured to fetch external URLs or process attachments automatically, that network/activity is outside this SKILL.md and should be reviewed in platform settings.
Install Mechanism: okNo install spec and no code files — instruction-only. Nothing is written to disk or downloaded by the skill itself, which minimizes install-time risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate request for secrets or system access relative to its functionality.
Persistence & Privilege: okalways:false and default model-invocation behavior. The skill does not request elevated persistence or modify other skills. Autonomous invocation is allowed by platform default but this skill does not request additional persistent privileges.