Back to skill
Skillv1.0.0
ClawScan security
Product Angle Ideas · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 9:27 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only content-generation helper whose requested resources and instructions match its stated purpose and do not ask for credentials, installs, or system access.
- Guidance
- This skill appears coherent and focused on generating TikTok/creator marketing angles. Before installing: (1) note the license—CC BY-NC-SA 4.0 prohibits commercial use without a paid license from Razestar; secure a commercial license if you plan to monetize. (2) Avoid pasting sensitive or proprietary data into the skill inputs (product roadmaps, customer PII, secret business metrics). (3) The skill promises to avoid fabricated evidence, but always verify factual claims before publishing. (4) Because it is instruction-only and requests no credentials, there is no obvious exfiltration risk from the skill itself—however, if you integrate outputs into other systems, ensure those systems are secure.
Review Dimensions
- Purpose & Capability
- okName/description (product marketing angles for TikTok/creators) align with the SKILL.md workflow and expected inputs/outputs. There are no unrelated requirements (no cloud creds, no binaries).
- Instruction Scope
- okRuntime instructions are limited to checking input quality, generating angles/hooks, removing risky claims, and recommending tests. They do not instruct reading files, environment variables, or sending data to external endpoints.
- Install Mechanism
- okNo install spec and no code files; this is instruction-only so nothing is written to disk or fetched during installation.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. Its needs are proportional to its purpose (text-in/text-out content generation).
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent system presence. Autonomous invocation is allowed but is the platform default and not in itself a concern here.