Back to skill
Skillv1.0.0
ClawScan security
Clawvisual · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 9, 2026, 11:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and requested data are coherent with a local CLI that starts/clients a clawvisual MCP service; nothing indicates misdirection or unexplained external access.
- Guidance
- This skill appears to do what it says: it runs a local CLI client that talks to a clawvisual MCP service and (if needed) auto-starts a local Next.js web server. Before installing or running: 1) confirm you trust the npm 'clawvisual' package source (npm install -g clawvisual is suggested); 2) be aware it stores keys unencrypted at ~/.clawvisual/config.json and will pass LLM API keys into child-process environments—if you prefer not to persist secrets, set keys only via environment variables and/or avoid using the CLI 'set' command; 3) AUTO-start only works for localhost—set CLAWVISUAL_MCP_URL to a remote service if you want external MCP usage, but that will direct requests (and your x-api-key header) to that endpoint; 4) if you do not want the skill to launch local servers, set CLAWVISUAL_NO_AUTO_START=1 before using initialize. Inspect the npm package contents (and node_modules/next provenance) before installing to ensure you trust the code that may be executed on your machine.
Review Dimensions
- Purpose & Capability
- okName/description (convert URLs/long text to social carousels via a local CLI + MCP) match the required binary ('clawvisual'), the included client, and the documented CLI commands. Required artifacts (LLM key, optional API key, MCP URL) are expected for an app that calls an LLM and a local MCP JSON-RPC service.
- Instruction Scope
- noteSKILL.md and the included client focus on starting/probing a local MCP endpoint, calling JSON‑RPC tools, and storing CLI config. The client reads/writes ~/.clawvisual/config.json and will auto-start a local Next.js dev server if the MCP is not found. These behaviors match the skill's purpose but you should note it persists config (including secret values) to disk and may spawn processes on your machine.
- Install Mechanism
- okThere is no remote download/install executed by the skill itself; the README recommends installing 'clawvisual' from npm. The client expects a standard node package layout (e.g., node_modules/next) to auto-start a local dev server. This is proportional for a CLI/web local stack.
- Credentials
- noteThe skill uses/encourages LLM-related env vars (CLAWVISUAL_LLM_API_KEY, LLM_API_URL, LLM_MODEL) and an optional CLAWVISUAL_API_KEY for MCP auth — these are appropriate. Caveat: the client stores config (including API keys) in plaintext at ~/.clawvisual/config.json and also injects LLM_* values into the environment of any auto-started child process, so secrets may be present in child-process envs and on disk.
- Persistence & Privilege
- okalways:false and no attempt to modify other skills or global agent configuration. It persists its own config under the user's home directory and can auto-start a local server (only for localhost by default), which is reasonable for this type of CLI client.