Back to skill
Skillv1.0.0
ClawScan security
Cardnews · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 15, 2026, 10:27 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with its stated purpose (generating 5-slide Instagram cardnews) and the included code is small and readable; the only notable runtime behavior is a safe-seeming pip install of Pillow if it's missing.
- Guidance
- This skill appears coherent and small. Things to consider before installing: (1) It relies on another skill (nano-banana-pro) — verify that skill's source and permissions because image generation is delegated to it. (2) The included convert_jpg.py will pip-install Pillow at runtime if missing, which downloads packages from PyPI — if you require an offline or locked environment, pre-install Pillow or inspect and sandbox the execution. (3) The SKILL.md references a TOOLS.md browser upload flow not included here — confirm how uploads are handled in your environment. If you plan to run this in a shared or sensitive environment, run the converter in a sandbox or review/approve the nano-banana-pro skill first.
Review Dimensions
- Purpose & Capability
- okName/description match the content: planning slides, generating images via another image-gen skill (nano-banana-pro), converting PNG→JPG, caption writing, and upload prep. Required binaries/env/config are empty and consistent with an instruction-only skill that delegates image creation to another skill.
- Instruction Scope
- noteSKILL.md stays on-task (plan slides, call nano-banana-pro to generate PNGs, convert to JPG, write caption, use browser upload). It references running a script from the nano-banana-pro skill and a browser-based TOOLS.md workflow — these are reasonable but require the nano-banana-pro skill and the TOOLS.md upload doc to be present and trusted. The instructions don't ask for unrelated files, credentials, or system-wide config.
- Install Mechanism
- noteNo install spec (instruction-only) which is low-risk. The included convert_jpg.py will attempt to pip-install Pillow at runtime if it's missing (via subprocess.check_call). That behavior performs a network package install when first run — not inherently malicious but worth noting because it writes packages to the environment at runtime.
- Credentials
- okSkill declares no environment variables, no credentials, and no config paths. SKILL.md does not reference environment variables or secrets. The lack of external credential requests is proportionate to the stated purpose, though the skill delegates image generation to another skill which may have its own credential needs.
- Persistence & Privilege
- okalways is false and the skill does not request permanent presence or modify other skills. It contains a small utility script but does not change system or agent-wide settings.