Skillv1.0.0

ClawScan security

AI Podcast Show Notes Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 5:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's description matches its purpose (generating show notes) but its runtime instructions reference external services (Apify, Claude) without declaring any required credentials or installation steps, which is an important mismatch the user should understand before installing.
Guidance: Before installing, confirm how the skill accesses Apify and Claude: does the platform supply built-in connectors, or will you need to provide API keys? If API keys are required, prefer creating scoped/service tokens (not your primary account credentials). Ask the publisher to document which endpoints are called and whether any scraped content or generated show notes are stored externally. Consider these risks: web scraping can violate site terms or collect sensitive third‑party data; automatic network calls increase blast radius if the skill is invoked autonomously. If you proceed, run the skill in a limited/sandboxed environment, monitor outbound requests, and avoid supplying high-privilege credentials until you verify the integration details. If the publisher cannot explain the missing credential/installation details, treat the skill cautiously or decline to install.

Review Dimensions

Purpose & Capability: concernThe SKILL.md explicitly relies on Apify scrapers (Google, Reddit, YouTube) and Claude AI for analysis/generation, but the skill declares no required environment variables, credentials, or install steps. If the skill truly needs Apify/Claude access, it should request API tokens or document how those integrations are provided. As-written, there's a capability/requirement mismatch.
Instruction Scope: noteInstructions stay within the stated purpose (scrape competitor show notes, analyze patterns, generate 10 SEO-optimized variants). However they direct broad web scraping and SERP analysis via Apify without describing limits, rate-limiting, or what data is collected. That lack of precision could lead to excessive external requests or unintended collection of third-party content.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing is written to disk by the skill itself. That lowers install-time risk.
Credentials: concernThe instructions mention external services that normally require credentials (Apify, Claude) but the skill lists no required env vars or primary credential. This is disproportionate/unexplained: either the platform supplies connectors (not documented) or the SKILL.md omitted credential requirements.
Persistence & Privilege: okThe skill is not always-enabled and is user-invocable (defaults). Autonomous model invocation is allowed (platform default). This is normal, but combined with the external-scraping behavior and missing credential declarations it increases the importance of understanding where requests and data will go.