Skillv1.0.0

ClawScan security

draw-skills · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 19, 2026, 7:44 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only prompt generator for producing figure prompts and captions; its declared requirements, instructions, and scope are consistent with that purpose and it does not request extra credentials, installs, or system privileges.
Guidance: This skill appears coherent and limited to generating figure prompts and captions. Before installing, consider: 1) it expects you to upload PDFs/images — do not upload sensitive or unpublished material you don't want exposed; 2) the skill itself contains no network calls or credentials, but the agent platform or downstream tools (e.g., nanobanana) might require API keys or send data externally—check how your agent runtime handles uploaded files and outbound requests; 3) if you plan to use the prompts with a paid/external service, verify that service's privacy policy for uploaded content; and 4) if you need strict handling of PHI or proprietary data, test with non-sensitive samples first. If you want extra assurance, request visibility into where the agent sends generated prompts (which external tool integrations it will call) before enabling the skill.

Purpose & Capability: okThe name/description match the runtime instructions: the skill analyzes papers/images and produces detailed natural-language prompts and captions for illustration tools (nanobanana). It requests no unrelated binaries, environment variables, or config paths.
Instruction Scope: okSKILL.md stays within the stated purpose: mode detection, domain/style extraction, figure planning, and prompt/caption generation. It asks the agent to accept user-provided PDFs/text/images (expected for this task) and to extract style features only (explicitly forbids extracting textual/content elements from reference images). There are no instructions to read unrelated system files, use unspecified credentials, or transmit data to unexpected endpoints.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is written to disk or fetched during installation.
Credentials: okThe skill declares no required environment variables or credentials. The operations described (analyzing uploaded papers/images and composing prompts/captions) do not require additional secrets or external account access.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence or modifications to other skills or system-wide settings. Autonomous invocation is allowed by default on the platform (normal), but the skill itself does not request extra privileges.