Back to skill
Skillv1.0.0
ClawScan security
Creative Eye · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 8:40 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only creative-evaluation framework whose requirements and instructions are consistent with its stated purpose and do not request unrelated credentials or installs.
- Guidance
- This skill is an instruction-only creative-evaluation guide and appears coherent with its stated purpose. Before installing or enabling it, confirm where the 'study log file' will be stored and how large/what content (images, drafts) will be logged; avoid writing sensitive images or private data to persistent logs. Also verify how your agent's vision-model critiques are executed in your environment (local model vs. third-party API) so you understand whether images will be sent to external services. If you need stronger assurance, review the full SKILL.md for any prompts that explicitly call external endpoints or ask for secrets (none are present in the excerpts). Overall the risk is low, but exercise the usual caution around storing or transmitting any proprietary images or brand assets.
Review Dimensions
- Purpose & Capability
- okThe name/description (design judgment for visual content) aligns with the provided frameworks, scorecards, checklists, and self-refinement prompts. There are no unrelated dependencies, environment variables, or binaries requested that would be inconsistent with a creative-evaluation skill.
- Instruction Scope
- okSKILL.md contains prescriptive, domain-specific instructions (STUDY→COMPARE→CREATE→EVALUATE, scorecards, checklists, and vision-model critique prompts). It does instruct agents to keep a 'study log file' and to run vision-model self-critiques, but it does not direct the agent to read arbitrary system files, access unrelated credentials, or transmit data to unknown external endpoints within the provided excerpts.
- Install Mechanism
- okNo install spec or code files that would write or execute third-party binaries are included. The package.json and README are metadata/documentation only; there is no download/extract/install step described.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. The instructions refer to storing study logs and using vision-model critique prompts but do not require secrets or unrelated access. Requested capabilities are proportionate to creative evaluation.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; it does not request permanent presence or elevated platform privileges. Autonomous invocation is allowed by default on the platform but that is normal and not combined with other red flags here.