zenn
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherently focused on drafting and publishing Zenn articles through a GitHub workflow, with expected but user-visible repository, publishing, and npm CLI actions.
This skill appears safe for its intended use, but review every git diff and PR before merging. Be especially careful before changing `published: true`, because that can make content public on Zenn. Run npm/npx commands only in the intended repository and consider pinning the Zenn CLI version.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on the wrong repository, branch, or files, the agent could push unwanted article drafts or assets.
The skill documents git commands that can create commits and push branches to a remote repository, which is expected for a GitHub-based publishing workflow but still changes user-controlled project state.
git checkout -b article/<slug> git add articles/<slug>.md images/<slug>/ git commit -m "Add draft: <title>" git push -u origin article/<slug>
Confirm the repo path, remote, branch, and git diff before allowing commits or pushes.
The agent may act through your GitHub repository access to create PRs, update branches, and eventually publish content to Zenn.
Publishing through GitHub requires repository permissions and may use the user's configured GitHub identity, which is appropriate for the purpose but should be intentional.
Open a PR into the Zenn publishing branch.
Use the intended GitHub account and repository, and review PRs before merging to the Zenn-connected branch.
Installing or running npm packages can execute third-party code in the local project environment.
The skill instructs users to install and run the Zenn CLI from npm; this is central to the stated purpose, but the package version is not pinned.
npm install zenn-cli npx zenn init
Install zenn-cli intentionally, consider pinning a trusted version, and run npm commands only in the intended repository.