Back to skill
Skillv1.0.0
ClawScan security
Shike Zhangxuefeng Perspective · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 16, 2026, 12:26 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- An instruction-only persona skill that provides career-planning advice in the style of Zhang Xuefeng; it requests no credentials, installs nothing, and its runtime instructions are limited to applying that viewpoint.
- Guidance
- This is an instruction-only persona skill that appears internally consistent and does not request credentials or install software. Consider these practical points before installing: 1) The skill presents itself as a viewpoint/persona of a public figure — verify you are comfortable with potential impersonation or copyright/personal-rights issues. 2) The README advertises external contact channels and paid services (email/WeChat); those are outside the platform and may involve off-platform payments or communications — treat them like any external link and don’t share secrets. 3) Because it’s a persona, review a few sample outputs to ensure the advice quality and tone meet your needs. No technical red flags were found.
Review Dimensions
- Purpose & Capability
- okName, description, and SKILL.md all describe a career-planning persona and provide usage triggers; there are no unrelated environment variables, binaries, or install steps requested. The declared purpose matches the actual requirements.
- Instruction Scope
- noteSKILL.md contains only persona description, heuristics, example trigger phrases, and contact/payment info. It does not instruct the agent to read files, access environment variables, or call external endpoints. Minor note: the skill advertises external contact channels (email/WeChat) and paid services — this is not a runtime requirement but is a potential social/operational consideration (outsourcing or off-platform payment/contact). The persona explicitly references a real person; if that person is real, impersonation/copyright considerations may apply, though not a direct security incoherence.
- Install Mechanism
- okNo install spec or code files; instruction-only skill — lowest install risk. The repository contains only README stubs and SKILL.md.
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths. There is no disproportionate request for secrets or system access.
- Persistence & Privilege
- okSkill is not always-enabled and uses default autonomous invocation settings. It does not request elevated or persistent system privileges, nor does it modify other skills or system config.