ClawHub
Back to skill
v1.0.0

Generate Restaurant Ad Creative Brief

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:04 PM.

Analysis

The skill’s stated ad-brief purpose is simple, but it requests shell/file-read tools and has inconsistent install/source references, so it should be reviewed before installing.

GuidanceBefore installing, verify that the package source and install command are the intended ones, and prefer a version that does not grant Bash or local file-read access unless you specifically need and understand those permissions.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
allowed-tools: Bash, Read

This grants shell command and local file-read capability, but the skill’s described function is only to plan restaurant ad creative briefs. The artifacts do not explain why shell or file access is needed or how it is bounded.

User impactIf invoked, the skill could have access to tools that are more powerful than necessary for generating an advertising brief.
RecommendationRemove Bash and Read unless there is a clearly documented, user-approved workflow that requires them; otherwise limit the skill to chat and image-generation capabilities.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceMediumStatusConcern
README.md
clawhub install qiaomu-generate-restaurant-ad-creative-brief ... git clone https://github.com/qiaomucom/generate-restaurant-ad-creative-brief.git

The supplied registry metadata names the evaluated slug as `toby-generate-restaurant-ad-creative-brief`, while the README tells users to install or clone a `qiaomu` package/repository. This mismatch makes the install provenance unclear.

User impactA user following the README could install a different package or source than the one represented by the registry entry.
RecommendationAlign the README install commands with the registry slug and provide a clear, pinned, verifiable source repository if manual installation is supported.