Skillv1.0.0

ClawScan security

Brand Voice Writer — AI Content in Your Voice · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 23, 2026, 1:11 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions are coherent with a brand-voice content generator: it reads a local brand profile and trend data, generates content, and saves drafts—no unusual installs or credential requests—but it references another skill's data without declaring that dependency, so double-check file availability and contents.
Guidance: This skill appears to do what it says—read a brand profile and trend data, generate content, and save drafts—but check these before installing: 1) Ensure you host a valid config/brand-voice.json and that it does not contain sensitive credentials or PII (the skill will read everything in that file). 2) Confirm the referenced Content Scraper skill or the data/trend-report-{date}.json files exist and are the expected format, since that dependency is not declared. 3) Review write location (data/content-batch-{date}.json) to ensure automatic drafts won't be exposed or published unintentionally. If you want stricter control, restrict the agent's access to only the specific config/data files and verify sample files manually first.

Purpose & Capability: noteThe name/description match the actions: loading a brand profile, filtering trends, creating posts, and saving drafts. One mismatch: the SKILL.md requires loading 'Content Scraper' output (data/trend-report-{date}.json) but the skill's metadata does not declare a dependency on a Content Scraper skill or otherwise document that cross-skill data source.
Instruction Scope: okRuntime instructions are narrowly scoped to reading local files (config/brand-voice.json and data/trend-report-*.json), transforming that data into content, performing quality checks, and saving to data/content-batch-*.json. The instructions do not ask the agent to access unrelated system paths, environment variables, or external endpoints.
Install Mechanism: okThis is instruction-only with no install spec or code files, so nothing is downloaded or written to disk at install time beyond what the agent itself will produce at runtime.
Credentials: okNo environment variables, credentials, or config paths are declared as required. The skill reads local JSON files for profile and trend data, which is proportional to its stated purpose.
Persistence & Privilege: okalways:false (no forced inclusion) and no special privileges requested. The skill runs with the platform's normal autonomous-invocation setting; that alone is expected for a skill of this type.