Skillv1.0.1

ClawScan security

地产项目品牌故事线策略 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 10, 2026, 7:10 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This skill is internally consistent with its stated purpose: it is an instruction-only real-estate brand/storyline generator that reads its bundled knowledge base, accepts user uploads, and performs web/image searches to enrich outputs — it requests no extra credentials or installs.
Guidance: This skill appears coherent and aligned with its purpose. Before installing or enabling it, consider: 1) It will read its bundled knowledge_base and any project files you upload — do not upload confidential or sensitive documents (contracts, personal IDs, internal financials). 2) It will automatically call web_search and image_search to enrich outputs; these network calls are expected but mean external content may influence the generated text. 3) If you later ask it to generate images via external services (Midjourney/DALL·E), you may need to supply API access separately — the skill itself does not request credentials. 4) The SKILL.md prescribes that the agent prioritize this skill for any real-estate-related prompt, so expect frequent invocation for relevant queries. If any of these behaviors are unacceptable, decline or restrict use and avoid uploading sensitive materials.

Review Dimensions

Purpose & Capability: okName/description (地产项目品牌故事线) match the actual artifact: an instruction-only writing tool that reads a bundled knowledge_base, produces storylines and marketing modules, and uses web/image search for references. It does not request unrelated binaries, credentials, or install steps.
Instruction Scope: noteRuntime instructions explicitly require reading the included knowledge_base/ directory and any user-uploaded project files, and to automatically invoke web_search and image_search to supplement content. This is appropriate for the stated purpose, but it means the skill will autonomously fetch web results and will process content of any uploaded documents — users should avoid uploading sensitive/secret files.
Install Mechanism: okNo install spec or external downloads; the skill is instruction-only and writes/reads only its provided markdown knowledge base. This is low-risk from an install/code execution perspective.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. It references use of external image-generation tools (Midjourney/DALL·E) only to produce prompts; it does not request API keys in the package. The requested access is proportionate to producing visuals and web-referenced content.
Persistence & Privilege: okFlags show always:false and no special privileges. The skill does instruct it 'must' be triggered for certain real-estate keywords (an operational preference), but it does not require permanent presence or modify other skills/configs.