Skillv1.0.1

ClawScan security

Video pusher · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 7:14 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill code, runtime instructions, and install steps are coherent with a multi‑platform browser automation publisher that stores browser sessions locally; nothing in the bundle appears to request unrelated credentials or to exfiltrate data.
Guidance: This skill appears to be what it says: local Playwright scripts that open real browser windows to help you upload and fill content, and then require you to manually click the final publish/share button. Before installing: 1) Verify you trust the 'uv' package (it is required to run the provided commands); 2) be aware 'uv run playwright install chromium' will download Chromium (~150MB); 3) the skill will store browser sessions and cookies under video-pusher/profile/ (accounts.json and per-platform profile folders) — review and manage these files carefully (use separate/test accounts if you are concerned); 4) the scripts will be able to read any media file path you supply, so do not pass sensitive file paths; and 5) automated posting may violate some platforms' Terms of Service, so confirm compliance. If you need greater assurance, inspect the 'uv' package source and run the scripts in an isolated environment or on a throwaway account first.

Review Dimensions

Purpose & Capability: okName/description match the code and instructions: all scripts perform browser automation to publish to the listed platforms and the SKILL.md consistently routes actions to those scripts. The single required binary ('uv') aligns with the documented 'uv run' usage throughout the docs and scripts.
Instruction Scope: okSKILL.md and per-subskill SKILL.md files restrict operations to the project's Python scripts and require user confirmation/manual clicks for final publishing. The runtime instructions and code only access the local profile/ directory (accounts.json and per-platform Chromium profiles), the provided media file paths, and the target platform websites. They do not attempt to read other system config or send data to third-party endpoints beyond the social platforms visited during normal publishing.
Install Mechanism: noteInstall requires installing/using the 'uv' tool and running 'playwright install chromium', which downloads Chromium (~150MB). This is expected for Playwright‑based automation, but it is a non-trivial download and relies on the 'uv' package; users should confirm 'uv' is from a trusted source (PyPI) before installing.
Credentials: okNo environment variables or external credentials are requested. The scripts store/reuse browser sessions and cookies under profile/, which is appropriate for a session‑based automation tool. The skill does not ask for unrelated secrets or access to other credentials.
Persistence & Privilege: okThe skill persists Chromium session data and accounts.json under a project-local profile/ directory (expected for reuse of logins). It does not request 'always: true' or modify other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but not coupled with elevated privileges or secret access.