Back to skill
Skillv1.0.0
ClawScan security
redbook-cards-skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 3:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, inputs, and outputs are consistent with its stated purpose (generating a single HTML file of styled 'card' images); it is instruction-only, asks for no secrets, and installs nothing.
- Guidance
- This skill appears coherent and limited to generating an HTML card set from provided article_content. Things to consider before installing/using: (1) The generated HTML links to Google Fonts (fonts.googleapis.com); opening the file in a browser will cause external network requests for fonts — replace with local fonts if you need offline/privacy guarantees. (2) The README/workflow suggests optionally fetching article HTML via an HTTP request and using Puppeteer/Playwright for screenshots — these are integration choices that can enable the agent to access remote URLs or run a headless browser; only enable those if you trust the environment and the URLs being fetched. (3) The skill sends the article text to whatever LLM you configure (this is required for content extraction), so avoid feeding sensitive/private content unless you trust the model/execution environment. (4) Review demo-output.html / EXAMPLE.md to confirm visual/style expectations before automating screenshots. No secrets or installers are required, and nothing in the skill suggests data exfiltration endpoints or hidden behaviors.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the SKILL.md and PROMPT.md describe extracting title/series/core points/tags from article_content and producing a single inline-CSS HTML file. No unrelated credentials, binaries, or installs are requested.
- Instruction Scope
- noteInstructions stay within scope (parse article_content, slice into 5–7 cards, emit HTML). The docs include an example workflow that may fetch remote HTML (HTTP Request → Text Cleaner) and recommend Puppeteer/Playwright for screenshots — these are optional integration suggestions, not built-in behavior. The skill does reference an external Google Fonts URL which means a browser opening the generated HTML will make network requests for fonts.
- Install Mechanism
- okNo install spec or code files to write/execute are included; the skill is instruction-only, so nothing is downloaded or installed by the skill itself.
- Credentials
- okThe skill requires only article_content and optional style/series/card_count inputs. It requests no environment variables, credentials, or config paths — proportional for the task.
- Persistence & Privilege
- okalways:false and no special persistence or cross-skill configuration is requested. The skill does not ask to modify other skills or system-wide settings.