Skillv1.0.0

ClawScan security

AI Copywriting Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 17, 2026, 10:53 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill implements the advertised copywriting functionality, but its metadata and SKILL.md omit a required API credential (OPENCLAW_API_KEY) and do not disclose that user content will be sent to the OpenClaw API — this mismatch is an incoherence you should resolve before installing.
Guidance: This skill appears to do what it says (generate marketing copy) but there are two practical concerns to resolve before installing or running it: (1) the Python code requires an OPENCLAW_API_KEY environment variable but the registry metadata and SKILL.md do not declare or document that requirement — ask the author to add this to the metadata and docs; (2) using the skill sends your product descriptions and targets to the OpenClaw API (via the 'openclaw' client). Verify the origin and integrity of the 'openclaw' pip package (is it the official client?), confirm the privacy policy of the OpenClaw service, and only provide non-sensitive sample data until you trust the library. If you need higher assurance, request the author to: (a) update metadata to list OPENCLAW_API_KEY as required, (b) document where 'openclaw' is published (PyPI URL or company homepage), and (c) add a note in SKILL.md about what data is transmitted and retention/privacy practices.

Review Dimensions

Purpose & Capability: okThe name/description (AI copywriting for multiple platforms) matches the provided code and instructions: templates for platforms, generate/optimize methods, and a CLI entrypoint are implemented. Use of an LLM client (OpenClaw) is coherent with the stated purpose.
Instruction Scope: concernSKILL.md shows how to install and use the library but does not mention the required OPENCLAW_API_KEY. The code will raise an exception if OPENCLAW_API_KEY is not set and will send product/features/target text to the OpenClaw service. The SKILL.md also suggests pip installing a third‑party package (openclaw) but provides no provenance or privacy warning about sending user content to a remote API.
Install Mechanism: okThere is no platform install spec (instruction-only), and the SKILL.md recommends 'pip install openclaw'. This is low-to-moderate risk but you should verify the pip package source and trustworthiness of the 'openclaw' package before installing.
Credentials: concernRegistry metadata declares no required environment variables, but the code requires OPENCLAW_API_KEY (and will abort if it's not set). The missing declaration is an incoherence. Requiring a single API key for the configured client is reasonable for this skill, but it must be declared and justified in metadata and docs.
Persistence & Privilege: okThe skill does not request elevated or persistent platform privileges: always is false, it doesn't modify other skills or system config, and it is user-invocable. Nothing in the files indicates it will persistently alter agent settings.