Skillv1.0.0

ClawScan security

AI Landing Page Copy Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 5:21 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (generate landing-page copy using Apify and Claude) is plausible, but the runtime instructions reference third‑party scraping and AI services without declaring the credentials, installs, or data flows required—this mismatch is concerning.
Guidance: The skill's description and workflow look reasonable for a landing-page generator, but there are clear gaps you should resolve before installing or granting access: - Ask the publisher how Apify and Claude are invoked at runtime and where API keys are expected to be supplied. A legitimate integration will require an Apify API token and an LLM/API key; these should be declared and scoped. - Confirm where scraped competitor pages are stored, how long they are kept, and whether scraping respects robots.txt and site Terms of Service. Scraping can have legal and ethical implications. - Verify data flow: what exact external endpoints receive your product info and scraped content (Apify, Claude, any analytics/third-party services)? Ensure you are comfortable with those external services and their privacy policies. - If the skill will ask you to provide API keys, only provide keys with the minimum scope required and preferably use separate service accounts or rate-limited keys. - Because the source and homepage are unknown, prefer caution: request a publisher contact or source code, or run the skill in a sandboxed environment first. If you need this functionality but want transparency, ask the author to declare required env vars, authentication method, and a minimal reproducible install/run example. Given these inconsistencies, treat the skill as untrusted until the above questions are answered.

Review Dimensions

Purpose & Capability: concernThe SKILL.md says it scrapes competitor pages with Apify and uses Claude AI for generation/analysis, which is coherent with a copy-generation purpose — but the skill declares no required environment variables, credentials, or install steps for Apify or Claude. A legitimate implementation would typically need an Apify API token and an LLM or Claude API key; their absence is an inconsistency.
Instruction Scope: concernInstructions explicitly direct the agent to scrape top competitor landing pages and analyze patterns. That is in-scope for copy research, but the SKILL.md is vague about how scraping is performed, where scraped data is stored/transmitted, and which external endpoints receive data. It gives broad authority to collect competitor content without describing legal/robots/consent considerations or data retention.
Install Mechanism: okThere is no install spec and no code files (instruction-only). That minimizes install-time risk because nothing is downloaded or written by the skill itself. However, the skill references external tooling (Apify) that would normally require runtime access to networked services.
Credentials: concernNo environment variables or credentials are declared, yet the skill claims to use Apify scrapers and Claude AI — both typically require API keys/tokens. The lack of declared credentials is disproportionate to the described workflow and leaves unclear how the agent will authenticate to those external services or where secrets would be supplied.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent system privileges or to modify other skills. Autonomous invocation is allowed by default (normal). There is no indication the skill modifies system agent settings or persists credentials.