Skillv1.0.0

ClawScan security

Podcast Production Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 30, 2026, 4:56 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: This is an instruction-only podcast production workflow whose declared purpose and runtime instructions are consistent and do not request elevated system access or credentials.
Guidance: This is a low-risk, instruction-only skill that provides templates and checklists for podcast workflows. Before installing or using it in an agent that will act autonomously, check MODULE 4 (Distribution & Publishing) in the full SKILL.md: confirm whether it only provides publishing checklists or whether it tries to perform uploads or call external APIs. If the skill ever asks you to paste API keys, OAuth tokens, or private keys, treat that as a sensitive action — only provide minimal, platform-scoped credentials and consider using temporary tokens. Otherwise, the skill appears coherent and proportionate for its stated purpose.

Review Dimensions

Purpose & Capability: okThe name/description match the SKILL.md content: modules for planning, pre-production, production assets, distribution, repurposing, and growth. The skill declares no binaries, no env vars, no install — which is proportionate for a guidance/checklist-style skill.
Instruction Scope: noteThe SKILL.md (visible portions) contains only questions, templates, outlines, checklists and research-brief formats — all within the stated podcast workflow. One minor note: MODULE 4 mentions 'upload to Spotify / YouTube publishing' (truncated in the provided content). As presented, the skill appears to provide checklists rather than perform automated uploads; if the full SKILL.md instructs the agent to call external APIs to perform uploads, those instructions would be out of scope relative to the declared lack of credentials. Review the full MODULE 4 to confirm it does not attempt or instruct direct automated uploads without collecting appropriate credentials from the user.
Install Mechanism: okNo install spec and no code files — instruction-only. This has minimal install risk (nothing is written to disk or downloaded).
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is appropriate for a guidance/checklist skill. If you later allow the agent to perform uploads or use platform APIs, it should explicitly request only the minimal platform tokens needed.
Persistence & Privilege: okalways is false and the skill is user-invocable with normal autonomous invocation allowed. There is no indication it modifies other skills or requests permanent presence.