Skillv1.0.1

ClawScan security

my skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 27, 2026, 3:01 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (producing structured personality/psychological reports from chat text/images) matches its instructions and included reference templates; it is an instruction-only skill with no extra credentials or installs requested.
Guidance: This skill is internally consistent with its stated purpose, but it processes potentially sensitive personal data. Before installing or using: 1) Ensure you have explicit permission from the person whose chats will be analyzed and that use complies with applicable laws and platform policies. 2) Consider redacting or anonymizing personally identifiable information (names, email/phone numbers, locations) before analysis. 3) Verify the privacy/security behavior of the helper skills it invokes (autoglm-image-recognition, autoglm-file-upload, md2pdf) because those may send data to external services or require credentials — the current bundle does not disclose their data handling. 4) Do not use outputs for clinical diagnoses; treat them as interpretive, probabilistic inferences. 5) If you need a stricter privacy guarantee, run analysis on sanitized/local-only data or request that invoked tools operate entirely locally (if supported).

Review Dimensions

Purpose & Capability: okThe name/description (personality analysis from chat records) aligns with the runtime instructions, analysis framework, and report template included in the bundle. The skill asks for text, images (via image-recognition), and exported chat files and uses those to create a Markdown report and convert it to PDF — all consistent with the stated purpose.
Instruction Scope: noteInstructions stay focused on analyzing a target person's utterances and producing a structured report. They explicitly instruct using included references/analysis-framework.md and references/report-template.md. They also instruct using external helper skills (autoglm-image-recognition, autoglm-file-upload, md2pdf) and a 'read' tool for files; this will cause user data (text or images) to be passed to those tools/services, which is expected but worth noting from a privacy standpoint.
Install Mechanism: okNo install spec or code files that would be downloaded/executed are present — the skill is instruction-only, which minimizes filesystem/write risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. It does reference other skills/tools but does not require secrets itself. Be aware that invoked helper skills (image recognition, file upload, PDF conversion) might require credentials or transmit data externally; those are not declared here and should be examined separately.
Persistence & Privilege: okalways:false and default autonomous invocation are set. The skill does not request persistent system privileges or modify other skills' configurations. It instructs generating a PDF report (expected behavior) but does not request elevated/system-wide access.