Skillv1.1.0

ClawScan security

Longform Blog Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 18, 2026, 9:19 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only longform blog-writing template that requests no credentials, does not install code, and its runtime instructions are coherent with its stated purpose.
Guidance: This skill is internally consistent and low-risk: it only provides a writing workflow and templates and requires no credentials or installs. Two practical notes before installing: (1) it invokes a separate 'concept-decoder' skill for deep explanations — make sure that skill exists and you trust it, since external skill calls extend the runtime behavior; (2) the SKILL.md forbids fabricating citations, but the agent can still produce incorrect or invented facts — always verify important names, dates, statistics, and citations (especially before publishing). If you plan to feed private documents or proprietary source links, consider whether you want an external skill or agent with network access to see those documents.
Findings: [no_code_files_to_scan] expected: The regex scanner found nothing to analyze because this is an instruction-only skill (SKILL.md + README). That absence of findings is expected and not evidence of risk.

Purpose & Capability: okThe name/description (longform blog writing) matches the SKILL.md: structured workflows, article templates, and editorial rules. No unexpected binaries, config paths, or credentials are requested.
Instruction Scope: okInstructions stay within writing/editorial scope (ask intake questions, propose an outline, draft, revise, embed citations, call Concept Decoder for complex concepts). They do not tell the agent to read unrelated files, access system paths, or transmit data to external endpoints beyond calling another skill.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is downloaded or written to disk. Low install risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. It only references another skill (concept-decoder), which is appropriate for the stated functionality.
Persistence & Privilege: okalways is false and the skill is user-invocable. It does not request permanent presence or privileges to modify other skills or system settings.