v1.0.2

Auto Content

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:01 AM.

Analysis

This is mostly a content-writing pipeline, but it tells the agent to automatically run X/web trend searches at the start of every session before the user asks.

GuidanceReview this skill before installing. It should be safe to use as a manual content-research assistant, but the automatic Stage 0 behavior should be removed or changed to require explicit user approval. Do not provide Ahrefs or SEMrush API keys unless you understand the account permissions and are comfortable using that credential in the agent session.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Also trigger automatically at the start of every new session to scan X for trending topics relevant to the user's project spec — propose hot keywords before the user asks.

This attempts to make the skill self-activate for every new session and produce output before the user asks for content work, which can redirect the agent away from the user's current goal.

User impactThe agent may interrupt unrelated sessions with trend-scanning behavior and content suggestions.

RecommendationDisable or remove the automatic session-start trigger; require the user to explicitly invoke trend monitoring or the content pipeline.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Run automatically at the start of every new session, before the user says anything. ... Run web searches ... `site:x.com [domain keyword] -filter:replies` ... `crypto twitter trending today`

The skill instructs web/X searches to be run automatically rather than only after a user asks for research, creating unapproved network activity and tool use.

User impactThe agent could perform external searches using project details without the user's explicit request in that session.

RecommendationRequire explicit user confirmation before running web searches or fetching social/community content.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

SKILL.md

Reference files (read when detail is needed): `references/scoring-rubrics.md` ... `references/ai-patterns-blacklist.md` ... `references/output-templates.md` ...

The manifest only supplies SKILL.md, so these referenced instruction files are unavailable for review. This is not executable code, but it means part of the intended behavior is missing from the artifact set.

User impactThe skill may not behave as documented, or users may not be able to inspect the full scoring and output instructions before installation.

RecommendationPublish the referenced files with the skill or remove the references so the reviewed artifact set is complete.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

SKILL.md

Ask once: "Do you have an Ahrefs or SEMrush API key?" Use if provided.

The optional API key request is purpose-aligned for SEO keyword research, but API keys are credentials and should be handled carefully.

User impactProviding an SEO API key may allow account usage, quota consumption, or access according to that provider's permissions.

RecommendationUse a limited-scope key if possible, avoid sharing unrelated credentials, and revoke the key after use if it was pasted into chat.