Skillv1.0.0

ClawScan security

AI-Integrated STEAM Lesson Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 4, 2026, 10:28 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only lesson-plan generator whose requested resources and runtime instructions align with its stated purpose, but it relies on third‑party AI services and asks teachers to upload student work to those services — which has privacy and policy implications teachers/schools must review.
Guidance: This skill appears to do what it claims (generate EDB-aligned, AI-integrated lesson plans) and does not request system credentials or installs. Before installing or using outputs in class, check: 1) Student privacy and consent — the instructions encourage uploading photos/screenshots of student work to third-party AI services (GLM5/OpenAI, HeyGen, Tripo3D.ai, Canva). Verify your school/district data-protection policy and obtain parental consent where required; anonymize or redact identifiable information when possible. 2) Service Terms & Data Retention — confirm each third-party tool's terms and whether submitted student work may be used to train models or retained. 3) Security/compliance — consult your school IT or legal team (PDPO/HK Education Bureau guidance) before sharing student data externally. 4) Claim verification — the README states EDB grant alignment and value claims; validate those requirements and any submission rules directly with the Education Bureau. 5) Tool availability — some tool names/links (e.g., “GLM5” vs chat.openai.com) may be ambiguous; confirm which provider/platform the school will actually use and test them on the school network. If you cannot accept external processing of student work, you can still use the skill for lesson structure and offline/adapted activities without uploading student data.

Review Dimensions

Purpose & Capability: okThe name/description (AI-integrated STEAM lesson plans) matches the contents: SKILL.md focuses on generating lesson plans and integrating external AI tools (GLM5, Canva, HeyGen, Gamma, Blender, Tripo3D.ai). There are no unrelated required binaries, environment variables, or installs requested.
Instruction Scope: noteInstructions stay within the pedagogical scope (lesson structure, minute-by-minute steps, tool setup). However, the skill explicitly instructs teachers to take photos/screenshots of student work and upload them to external AI services (e.g., GLM5/chat.openai.com, HeyGen, Tripo3D.ai) for AI-assisted assessment — this is functionally consistent but raises data‑protection and consent concerns that the SKILL.md does not fully address.
Install Mechanism: okInstruction-only skill with no install spec and no code files; nothing is written to disk and no external install URLs or packages are pulled. This is the lowest-risk install model and is coherent with the skill's purpose.
Credentials: noteThe skill requests no environment variables, credentials, or system paths (proportionate). The only notable runtime behavior is recommending use of third-party web services and account creation (Canva, HeyGen, GLM5/OpenAI, etc.). That external-data flow is expected but could expose student PII and school data to external providers; SKILL.md does not require credentials but does recommend uploading student work to external endpoints.
Persistence & Privilege: okNo elevated privileges requested: always is false, skill is user-invocable and not force-enabled, and it does not attempt to modify other skills or system configs. There is no persistent background component or autonomous installation behavior in the package.