Back to skill
Skillv1.0.0
ClawScan security
Xhs Enhancer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 8, 2026, 2:32 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent and contains a small, local Node.js module with no network, credential, or install requirements, but its claims of continuous AI-driven maintenance appear to be marketing rather than implemented functionality.
- Guidance
- This skill appears benign and is just a small local module with placeholder methods. However, its description suggests automated 24/7 AI maintenance that the code does not implement. If you plan to use this in production, verify the author's provenance, request details about any external services or scheduled/background processes they intend to add, and run the code in a sandboxed environment first. If you expect continuous automation, require the developer to document the mechanism (webhook, scheduler, cloud service) and any credentials it will need before enabling it widely.
Review Dimensions
- Purpose & Capability
- noteName/description claim: an 'Xhs (小红书) Enhancer' with 24/7 AI-driven maintenance. The provided code implements a simple XhsEnhancer class with placeholder methods (analyzeTrends, generateNote, monitorCompetitors) and no external integrations. Requiring no credentials or binaries is coherent for a local helper/prototype, but the advertised continuous/automatic maintenance and improvements are not implemented in the code (no background process, no scheduler, no network).
- Instruction Scope
- okSKILL.md simply instructs running node scripts/main.js. The script only logs an init message and exports a class with stub methods; it does not read files, access environment variables, make network calls, or transmit data. The runtime instructions match the included code.
- Install Mechanism
- okNo install spec is provided (instruction-only). There is one local code file. No downloads, package installs, or archive extraction are requested, which is low risk.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths and the code does not access any. The absence of requested secrets is proportionate to the implementation.
- Persistence & Privilege
- okalways is false and the skill contains no logic to persistently modify agent settings or other skills. There is no autonomous background process or privileged behavior.