Skillv1.0.0

ClawScan security

reshape-your-life（重塑你的人生） · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 10, 2026, 2:09 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only coaching skill whose requirements, instructions, and files are coherent with its stated purpose and do not request elevated privileges, credentials, or external installs.
Guidance: This skill appears coherent and low-risk from a system/credential perspective, but consider these points before installing: (1) The owner and homepage are unknown — treat trust accordingly; (2) The skill prompts users to discuss personal, potentially sensitive topics (values, past experiences, life goals). Avoid sharing highly sensitive PII, medical details, or legal/financial secrets in the chat; this is not a substitute for professional mental health or legal advice. (3) The skill enforces a fixed opening monologue and a rigid top-down process — if you want a different tone/shorter intro, review or edit the SKILL.md before enabling. (4) Because session content may contain personal data, review how your agent platform stores or logs conversations and consider retention settings. Overall this skill is internally consistent with its stated coaching purpose.
Findings: [no_findings] expected: The static regex scanner found nothing to analyze because this is an instruction-only skill with no executable code; this is expected for a purely conversational coaching skill.

Purpose & Capability: okName/description describe a guided life‑replanning coach; the skill is instruction-only, includes only dialogue scripts and theory references, and requests no binaries, env vars, config paths, or credentials — all proportional to a conversational coaching skill.
Instruction Scope: noteRuntime instructions are strictly conversational and self-contained (opening script, six-layer guided flow, wrap-up). Note: the SKILL.md mandates a fixed opening monologue that must be output when activated — this is a functional/design choice (not a security risk) but reduces flexibility/consent for users who might prefer a shorter/modified opener. The instructions do not ask the agent to read system files, access external endpoints, or collect credentials.
Install Mechanism: okNo install spec and no code files to execute; instruction-only skills have the lowest install risk. All referenced assets are bundled as plain text files in the skill package.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The content asks for personal reflections (sensitive by nature) but does not request system secrets or unrelated external credentials.
Persistence & Privilege: okSkill is not always:true and has default autonomous invocation settings — the latter is platform default and not in itself a concern. The skill does not request system-level persistence or to modify other skills/configuration.