Skillv1.0.0

ClawScan security

Generate YouTube Thumbnail Concepts · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 4:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is mostly an innocuous, instruction-only thumbnail idea generator, but small inconsistencies (copy-paste install instructions pointing to a different repo/slug and vague references to unspecified 'SkillBoss capabilities') make the bundle unclear and worth checking before use.
Guidance: This skill appears to do what it says (produce thumbnail concepts) and is low-risk as an instruction-only skill, but there are a few things to check before installing or enabling it: - Source verification: the README references a different Github slug/owner than the registry metadata — ask the publisher to confirm the canonical source or review the linked repository before installing. - External services: SKILL.md lists image_generation but declares no credentials; find out which image service(s) it will call and how API keys are provided/stored. Never supply secrets unless you trust the source and the exact endpoints used are documented. - Broad capabilities: the doc's reference to 'SkillBoss capabilities' and the allowed-tools entry (Bash, Read) are vague. Confirm what runtime tools the skill will actually call and whether it will read local files or run shell commands. - Test safely: run or audit the skill in a sandboxed environment first, and prefer a publisher with a verifiable repository/homepage and a clear install path. If the publisher can confirm the repository URL and clarify which image API is used (and where credentials are required), that will raise confidence and likely move this from 'suspicious' to 'benign.'

Review Dimensions

Purpose & Capability: okName, description, and declared APIs (chat, image_generation) align with generating thumbnail concepts; there are no unrelated required binaries, env vars, or config paths.
Instruction Scope: noteSKILL.md gives high-level, appropriate instructions for producing thumbnail concepts. It does include vague guidance to 'use the relevant SkillBoss capabilities to generate supporting assets,' which could grant the agent broad discretion at runtime; allowed-tools lists Bash and Read (but the instructions do not actually require reading local files or running shell commands).
Install Mechanism: okNo install spec and no code files — the skill is instruction-only, which is lower risk. README shows optional manual install via git clone from a GitHub repo, but that repo/slug differs from the registry metadata (likely a copy-paste mismatch).
Credentials: okNo environment variables, credentials, or config paths are requested. The SKILL.md mentions image_generation APIs but does not request or declare any API keys — if an image service is needed, credentials would need to be provided later; that should be explicit.
Persistence & Privilege: okalways:false (default) and normal autonomous invocation allowed. The skill does not request persistent system presence or modifications to other skills/configs.