Back to skill
Skillv1.0.2
ClawScan security
Book Launch Campaign Kit · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 4:37 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions match its stated purpose (creating book-launch assets); it includes a harmless scaffold script that only creates folders and markdown files and does not request credentials or install external code.
- Guidance
- This skill appears coherent and low-risk: it contains instructional docs and a small script that scaffolds a project folder and basic markdown files. Before installing/running: 1) Inspect the target path you pass to the scaffold script — it will create folders and files there. 2) If you plan to use external TTS or publishing services (Edge TTS, GitHub, ClawHub), be aware those may require separate accounts/API keys—this skill does not include or request those credentials. 3) Review any included assets (PDFs mentioned in README) to confirm licensing and that no unwanted content is present. 4) Be mindful of legal/ethical guidance in the docs about celebrity likenesses; avoid using real celebrity images/endorsements without permission.
Review Dimensions
- Purpose & Capability
- okName and description (book launch campaign) align with the included SKILL.md, reference tutorials, and the small helper script. There are no unrelated credentials, binaries, or install steps requested that would be disproportionate to producing marketing assets.
- Instruction Scope
- okSKILL.md stays on topic: it describes workflows, deliverables, and instructs use of the included scaffold script and reference docs. It does not instruct reading of unrelated system files, exfiltrating data, or contacting hidden endpoints.
- Install Mechanism
- okNo install spec is present (instruction-only), and the only code file is a small local Python script that writes project folders and simple markdown files. There are no downloads from external URLs or archive extraction behaviors to raise concern.
- Credentials
- noteThe skill does not request environment variables or credentials. It mentions using higher-quality TTS (Edge neural TTS) and publishing steps (GitHub/ClawHub) in docs — these are reasonable dependencies for the workflow but may require external accounts/APIs if the agent or user chooses to use them; the skill itself does not ask for secrets.
- Persistence & Privilege
- okSkill does not request permanent presence (always=false) and does not modify other skills or system-wide settings. The scaffold script only creates files under a user-specified target directory.