Skillv1.0.0

ClawScan security

AhaPoint 生成专家 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 6, 2026, 5:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and runtime instructions align with its stated purpose (web research + generating and saving AhaPoint reports); nothing requests unexplained credentials or remote endpoints, but it will read/write files in your workspace and perform web browsing.
Guidance: This skill appears to do what it says: it will browse the web to collect sources, generate APS v1.0-formatted reports (including metadata and Mermaid graphs), and save those reports and an index file into a local ahapoints-protocol directory. Before installing or invoking it, consider: 1) Back up the target workspace/registry (registry/index.json) in case you don't want automatic changes. 2) If you don't want the agent to write files, avoid running it or run it in a sandboxed workspace. 3) The skill will perform network searches and snapshot pages—if you have sensitive browsing restrictions, review that behavior. 4) The skill mentions optional use of third‑party OCR APIs but does not require API keys; only add such keys if you intentionally integrate those services. 5) Review generated reports before publishing them (author/contact fields are filled from inputs). If you want further assurance, ask the author to explicitly declare the config paths the skill will modify or run it first in an isolated workspace.

Purpose & Capability: okName/description (generate AhaPoint reports) match the instructions: uses a browser to research, classifies points, generates APS v1.0 metadata, Mermaid graphs, and writes .md files and a local registry. No unrelated credentials or binaries are requested.
Instruction Scope: noteSKILL.md explicitly instructs the agent to browse (Google searches), snapshot pages, extract content, create APS metadata, save files under ahapoints-protocol/points/, and update registry/index.json. Those actions are coherent with the skill's purpose but do involve web scraping and local file writes—confirm you are comfortable with the agent performing network requests and modifying files in your workspace.
Install Mechanism: okInstruction-only skill with no install spec or external downloads. Lowest install risk.
Credentials: okThe skill declares no environment variables or credentials. It mentions optional OCR/API integrations in examples (e.g., Baidu/Tencent) but does not require API keys. No high-privilege secrets are requested.
Persistence & Privilege: notealways: false and normal autonomous invocation. The skill's runtime steps instruct writing files into the user's workspace (ahapoints-protocol/points/) and updating a local registry file. This is expected for a report generator but you should be aware it will modify files in your OpenClaw workspace.