Skillv1.0.0

ClawScan security

Turbo Poster 9000 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 6, 2026, 6:37 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements and instructions are internally consistent with its stated purpose (generate social media posters) but it will send user content to an external third‑party API you should trust before using.
Guidance: This skill appears to do what it says: gather poster fields from the user and POST them to a third‑party synthesis API to generate images and captions. Before installing or using it, consider the following: (1) privacy — any text, speaker names, photos, logos or template files you provide will be transmitted to deepcontent-pair-scale-intelligence.vercel.app; don't submit sensitive or confidential data. (2) trust & IP — verify the service owner and terms of use to ensure you retain needed rights to generated images and that uploaded logos/photos are handled appropriately. (3) provenance — because the endpoint is a third‑party Vercel app with no homepage or owner identity in the registry metadata, prefer well-known providers for sensitive workflows. If you decide to proceed, avoid sending confidential data and request more info from the skill author about the API operator, data retention, and licensing.

Purpose & Capability: okThe skill is an instruction-only content generator that calls a remote 'DeepContent' synthesis API to create images and captions — this matches the name and description. It does not request unrelated binaries, credentials, or system access.
Instruction Scope: noteThe SKILL.md explicitly instructs the agent to POST user-provided text, image URLs, and template data to an external API endpoint (deepcontent-pair-scale-intelligence.vercel.app). The actions (asking for missing inputs, then calling the API) are within scope for a poster generator, but they will transmit any user-supplied content to that remote service — a privacy/IP risk the user should consider.
Install Mechanism: okThere is no install spec and no code files; nothing is written to disk. This is the lowest-risk install posture and consistent with an instruction-only skill.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. That is proportionate for an instruction-only generator. Note: although it doesn't request secrets, it still sends user content to a third party.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or system configuration.