Skillv1.0.0

ClawScan security

Content News Thai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 3:22 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (generating Thai news-style images); the included scripts and instructions match that goal and do not request unrelated credentials or hidden network endpoints.
Guidance: This skill appears to do what it claims: generate Thai news-style images. Before installing or running setup.sh, consider: 1) setup.sh installs system packages (apt/brew), npm dependencies (canvas) and downloads fonts from GitHub — run it in a controlled environment (docker container or VM) if you want to avoid changing your host. 2) The script copies fonts to a system font directory and may use sudo; expect system-wide changes. 3) gen-news.mjs can load bgImage URLs (it may fetch remote images) and writes output files to disk — only pass URLs/paths you trust and choose a safe output directory. 4) npm canvas requires native build tools; review the package.json and the npm install output. If you are comfortable with those actions, the skill is coherent and reasonable for its purpose; otherwise run it in an isolated environment or inspect/run the scripts manually before use.

Review Dimensions

Purpose & Capability: okName/description match the code and instructions: gen-news.mjs renders 1080x1350 images with Thai fonts; setup.sh installs canvas and Thai fonts. There are no unrelated credentials, binaries, or config paths declared.
Instruction Scope: noteSKILL.md instructs running the provided setup.sh and calling node gen-news.mjs with a JSON param. The runtime will read optional bgImage paths/URLs and write an output file. This is within scope, but the setup step can install system packages, copy fonts system-wide, and requires network access to download fonts and (optionally) fetch remote bgImage URLs — users should be aware of those side-effects before running.
Install Mechanism: noteNo packaged install spec in registry (instruction-only), but setup.sh performs system package installation (apt/brew), runs npm install (canvas), and downloads fonts from GitHub raw URLs. Fonts from Google Fonts on GitHub are expected; npm canvas is a normal dependency but requires native build tools. These are moderate-risk actions because they install system packages and node modules and write files to disk.
Credentials: okThe skill declares no required env vars or credentials. The code optionally reads OPENCLAW_WORKSPACE to locate fonts if present — this is benign and documented. No unrelated secrets or external service tokens are requested.
Persistence & Privilege: notealways is false. The setup script may install fonts system-wide (copies to /usr/local/share/fonts) and uses sudo if needed; that modifies system state and may require elevated privileges. The skill does not modify other skills or agent configs.