Back to skill
Skillv1.0.0
ClawScan security
Instagram Photo Text Overlay · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 17, 2026, 4:40 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's files and runtime instructions are consistent with an image text-overlay utility; nothing in the visible code or SKILL.md requests unrelated credentials or network access, but the main() body was truncated so full verification is incomplete.
- Guidance
- This appears to be a straightforward image overlay tool: install Python + Pillow, run the script with an input photo and output path. Before using, verify the rest of the script (the truncated main() portion) to ensure it doesn't make network requests or read/write unexpected files. Run it on non-sensitive images first and, if you want extra safety, execute it in a sandbox/container. If you want me to check the missing part of the file (the remainder of main()), paste it and I'll re-evaluate with higher confidence.
Review Dimensions
- Purpose & Capability
- okName/description, the SKILL.md usage, and the included scripts/overlay.py all align: they implement drawing gradients and text on an input image and writing an output image. The declared requirements (Python + Pillow) match what the script uses. No unrelated credentials, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md gives explicit CLI usage that only reads an input image and writes an output image. The doc has a small vague tip («pull top picks from existing itineraries when available») which is a content suggestion rather than an instruction to read other files, and the visible code only touches image and font paths. Recommend reviewing the truncated main() to confirm it doesn't perform extra IO (reading arbitrary files) or network requests.
- Install Mechanism
- okThis is an instruction-only skill with a single Python script; there is no install spec. SKILL.md correctly notes Python 3 and Pillow (pip install Pillow). No downloads or execution of remote code are specified in the visible files.
- Credentials
- okThe skill requires no environment variables, credentials, or config paths. The script references common system font paths (macOS/Linux) which is expected for rendering and not sensitive. No secrets are requested or used in the visible code.
- Persistence & Privilege
- okThe skill does not request persistent or elevated presence (always:false). It doesn't modify other skills or system-wide settings in the visible code.