Skillv1.0.5

ClawScan security

LINE Rich Messages · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 1:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: This is an instruction-only LINE UI documentation skill that is largely coherent with its purpose, but there are inconsistent claims about a file-delivery workflow and a missing reference file which should be clarified before installation.
Guidance: This skill is mostly documentation and templates for building LINE Flex/UIs and does not request credentials or install code — that's good. Before installing: 1) Ask the skill author to reconcile the README references to a 'File Delivery SOP' / Google Drive workflow and the missing references/file-delivery.md with SKILL.md's statement that file delivery was removed. 2) Confirm whether the listed directive types (e.g., device control, Apple TV) are actually supported by your LINE plugin or are only placeholders. 3) If you plan to enable inline button capabilities, test these templates in a staging account (not production) to verify rendering and copy/paste behavior. 4) Because the skill can be invoked by an agent, avoid enabling it globally for sensitive agents until you’ve validated its behavior. If the author cannot explain the file-delivery discrepancy, treat the README claims as stale/outdated and proceed cautiously.
Findings: [no_code_files_to_scan] expected: The regex scanner had nothing to analyze because this is an instruction-only skill (no code files).

Review Dimensions

Purpose & Capability: noteThe name/description (LINE Rich Messages) matches the content: templates, directives, and raw JSON for LINE Flex messages. However, README and some references mention a 'File Delivery SOP' / Google Drive workflow and list references/file-delivery.md, while SKILL.md explicitly states 'No file delivery' and that file delivery content was removed — a clear inconsistency between files and the stated scope.
Instruction Scope: noteSKILL.md stays within documentation: it instructs how to construct Flex JSON and use directive tags, warns against embedding credentials or making unsolicited network calls, and defers actual sending to the LINE plugin. A minor scope issue: directives.md lists unusual items such as 'Device Control' and 'Apple TV' tags which are atypical for a messaging/template guide — they may be harmless placeholders but should be validated against the actual LINE plugin capabilities.
Install Mechanism: okNo install spec and no code files — instruction-only content. This is low-risk: nothing will be downloaded or written by an installer.
Credentials: okThe skill requires no environment variables, no credentials, and does not embed tokens. The metadata requests the 'line' plugin, which is appropriate for the stated purpose.
Persistence & Privilege: okalways is false, no special privileges requested, and the skill does not request modifying other skills or system-wide settings. Autonomous invocation is allowed by default but not combined with other concerning privileges.