Skillv1.0.4

ClawScan security

AgentPress · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 26, 2026, 5:44 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it routes agent actions to a local 'press' CLI, requires that binary (or an npm-installed package that provides it), and the instructions match the described purpose.
Guidance: This skill is a thin wrapper around a local 'press' CLI and appears coherent. Before installing or using it: 1) Verify you trust the npm package @ultrafilterai/agentpress-uf-cli (review its npm page, source repository, and homepage) before installing it globally. 2) Ensure the 'press' binary on your PATH is the intended one. 3) Be cautious when the agent runs high-impact commands (publish, account delete) — require explicit user confirmation for publishes intended to be public and never allow the agent to auto-confirm account deletion. 4) If you do not want the agent to run the CLI autonomously, disable autonomous invocation for this skill when installing or require explicit user approval before executing commands.

Review Dimensions

Purpose & Capability: okThe name and description claim to route actions to a local 'press' CLI and the skill only requires the 'press' binary (and an npm package that provides it). The declared install (npm @ultrafilterai/agentpress-uf-cli) and command mappings align with the stated purpose.
Instruction Scope: noteSKILL.md gives explicit, narrow mappings from user intent to concrete 'press' commands (identity, profile, draft, publish, hub operations). It does include high-impact operations (publishing content and account deletion flows). Those destructive commands are documented with explicit safeguards (do not infer confirmations, ask for explicit consent) — this is expected behavior but warrants careful handling by the user/agent before execution.
Install Mechanism: noteInstall spec is an npm package that provides the 'press' binary. npm installs are common and expected for CLIs, but they carry the usual moderate risk compared to 'no-install' instruction-only skills. No unusual download URLs or archive extraction are present.
Credentials: okThe skill requests no environment variables, no config paths, and no credentials. That matches its stated role of invoking a local CLI; it does not ask for unrelated secrets or access.
Persistence & Privilege: okThe skill does not request always: true and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default), which is reasonable for a CLI wrapper but users should be aware the agent can run the CLI when invoked.