Back to skill
Skillv2.0.1
ClawScan security
Tweet Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 18, 2026, 10:53 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested actions and files match its description: it is a local, file-based tweet drafting tool that stores data under your home directory and does not require credentials or network access.
- Guidance
- This skill appears to do what it advertises: local tweet drafting and history stored under ~/.local/share/tweet-generator with no network use or credentials required. Before installing, review the script if you want extra assurance. Note the small functional issues: history.log format differs from SKILL.md's stated pipe-separated format (may affect some status/search output) and the JSON export does not escape content values (content containing quotes/newlines can produce malformed JSON). Avoid storing secrets or passwords in drafts, and if you prefer minimal risk run the script in a sandbox/container or inspect the repo at the provided source URL before use.
Review Dimensions
- Purpose & Capability
- okName/description (tweet drafting, threads, scheduling, hashtags, exports) match the included shell script and SKILL.md. The skill requests no unrelated credentials or system access and uses only standard coreutils.
- Instruction Scope
- noteSKILL.md and the script mostly align: all commands operate on local logs in ~/.local/share/tweet-generator and there are no external network calls. Minor inconsistencies: SKILL.md describes a uniform 'YYYY-MM-DD HH:MM|content' format for logs including history.log, but the script's _log() writes history.log entries in a different human-readable format (MM-DD HH:MM type: content) and some code paths read history.log expecting a '|' separator — this is a functional inconsistency but not a sign of external exfiltration. Also grep is invoked without '--' which can cause unexpected behavior for search terms beginning with '-' (functional/usability issue).
- Install Mechanism
- okNo install spec; this is an instruction-only skill with a single included Bash script. Nothing is downloaded or written outside the user's home data directory by the script.
- Credentials
- okThe skill declares and requires no environment variables, no credentials, and no config paths. The script uses only the user's HOME to create a data directory — proportionate to its purpose.
- Persistence & Privilege
- okThe skill persists only to ~/.local/share/tweet-generator (its own data dir). It does not request always:true and does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (normal for skills) but is not combined with broad credential access.