Skillv1.7.0

ClawScan security

Browser Canvas Poetry · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 22, 2026, 1:30 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested resources, instructions, and included files are coherent with its stated purpose (generating browser-native generative art from poetic/literary prompts) and do not ask for unexplained credentials or installs.
Guidance: This skill appears coherent for generating browser-native generative art and asks for no credentials or installs, which is low-risk. Items to consider before installing/use: 1) The skill contains many examples that optionally use the camera/microphone and optional external APIs (Wikipedia/poetry DB). If you run generated demos in a browser, those demos may request permissions — only grant them when you trust the page. 2) There is one included code file (scripts/art-validator.js). If you want extra assurance, open that file and the references to verify there are no unexpected network endpoints or obfuscated code before running any automated tooling that executes skill code. 3) Generated projects (HTML/JS) could include fetch() calls to arbitrary URLs if you or the agent accept external references — review any runtime network endpoints before executing. 4) The skill encourages producing front-end code; be aware that running generated code in browsers can expose local resources (camera, microphone, local files if user permits). If you need stricter isolation, run generated demos in a sandboxed environment or inspect the code first.

Review Dimensions

Purpose & Capability: okName/description (browser canvas poetry) align with the content: SKILL.md, many references, templates and an integration guide all describe generating front-end art, interactive demos, and BCPP manifests. The one included code file (scripts/art-validator.js) plausibly fits a validator role for art manifests and is not inconsistent with the stated purpose.
Instruction Scope: noteRuntime instructions stay within front-end art generation: produce prompts, templates, and code (single HTML or Pretext projects). The SKILL.md explicitly favors pure front-end (no backend). It does mention optional internet access for art references (Wikipedia, poetry DB) and optional user inputs such as camera/audio for some interactive examples — these are reasonable for the domain but worth noting because camera/microphone and external API use can surface privacy/permission implications.
Install Mechanism: okNo install spec is provided (instruction-only skill) and no binaries or package installs are required. This minimizes disk-write and remote-code-execute risk compared to skills that download/extract archives or run installers.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths. The SKILL.md mentions optional public APIs (Wikipedia, poetry DB) but does not mandate API keys or secret material. The declared requirements are proportionate to the stated functionality.
Persistence & Privilege: okFlags indicate always:false and no special persistence. The skill is user-invocable and allows normal autonomous invocation (platform default), which is expected for helper skills; there are no indications it attempts to alter other skills or request permanent presence.