Skillv1.0.0

ClawScan security

Content Source To Markdown · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 13, 2026, 5:11 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only converter that asks the agent to summarize and reformat web/social content into markdown; its declared requirements and files are consistent with that purpose.
Guidance: This skill appears internally consistent and low-risk because it’s instruction-only and requests no credentials. Before using it, consider: (1) how source content will be provided—prefer user-pasted snippets or explicit URL lists rather than giving the agent unrestricted live-scraping access; (2) copyright and privacy: do not feed private or paywalled content or personal data without consent; (3) licensing: the SKILL.md claims CC BY-NC-SA and a separate paid commercial license for commercial use—confirm licensing if you plan to use outputs commercially; (4) if you rely on automated fetching, verify that the agent’s network/scraping behaviour complies with website terms of service. If you need stronger guarantees, ask the author to clarify the exact fetch method and add explicit limits on what the skill may access or transmit.

Purpose & Capability: okName, description, and files all describe transforming URLs/snippets into structured markdown briefs. The skill declares no binaries, env vars, or installs, which is consistent with a purely instruction-driven summarization utility.
Instruction Scope: noteThe instructions are high-level ('Extract source content', 'Remove noise') but do not specify commands, endpoints, or credential access. That makes the scope consistent but somewhat ambiguous: the agent will need to fetch or be given source content to operate. This ambiguity can lead to different runtime behaviours (e.g., live scraping vs. using user-provided snippets).
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is written to disk or downloaded. This is the lowest-risk install profile.
Credentials: okThe skill requests no environment variables, credentials, or config paths. For the stated purpose (content summarization), no extra secrets are needed, so the requested privileges are proportionate.
Persistence & Privilege: okThe skill is not always-enabled and does not request special persistence or modify other skills. Autonomous invocation is allowed (platform default), which is expected for skills of this type and is not, on its own, a concern.