Back to skill
Skillv1.0.0
ClawScan security
漫剧 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 26, 2026, 1:53 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and declared inputs are coherent with its stated purpose (turning a local novel text into web‑toon PNGs), but it depends on an external PyPI package (libtv) that you should verify before installing or running.
- Guidance
- This skill appears to do exactly what it says: read a local UTF-8 text file and produce PNG web‑toon pages using a WebtoonCreator class. The main risk is the external dependency 'libtv' (libtv==0.3.2) referenced in requirements.txt — PyPI packages can execute arbitrary code at install/runtime. Before installing or running this skill: 1) inspect the libtv package source (e.g., pip download + unpack or check its repository) to ensure it doesn't perform network exfiltration or other unexpected actions; 2) run the script in a sandboxed environment (container or VM) with no access to sensitive files/credentials; 3) prefer running it on sample data first and review output files; and 4) if you cannot audit libtv, avoid installing it on systems with sensitive data.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, README, requirements.txt and the included libtv_qunqin.py are consistent: the skill reads a local story file, configures panel count/font/output_dir, calls WebtoonCreator from the libtv package, and writes PNG output. No unrelated capabilities or credentials are requested.
- Instruction Scope
- okRuntime instructions and the script only read JSON from stdin and the referenced local story_file, create the output directory, invoke WebtoonCreator, and print a JSON result. The SKILL.md does not ask the agent to read other system files, env vars, or contact external endpoints directly.
- Install Mechanism
- noteThere is no install spec included (instruction-only), but requirements.txt pins libtv==0.3.2 (plus Pillow and tqdm). Installing from PyPI is moderately risky because packages can contain arbitrary code; the skill itself does not include a source for libtv, so verify that libtv is a trustworthy package before pip installing.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths—appropriate for a local file-to-image converter.
- Persistence & Privilege
- okThe skill does not request always:true or any elevated/persistent platform privileges; it runs only when invoked and does not write or modify other skill configurations.