Back to skill
Skillv1.0.0
ClawScan security
Tieba · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 9:20 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only Baidu Tieba (forum) operations guide and its requirements and content are coherent with that purpose.
- Guidance
- This skill is an advice/manual-style assistant for running a Tieba community and appears internally consistent. Before enabling it: (1) avoid giving any account credentials or API tokens to the skill — it does not require them; (2) if you allow the agent to act autonomously, restrict actions that perform deletions, bans, or automated scraping unless you trust and audit those integrations; (3) when implementing automated bots or evidence collection follow Baidu's terms of service and privacy laws (notify users when collecting screenshots/logs); (4) treat the skill as a consultant — prefer human review for enforcement decisions and credentialed operations.
Review Dimensions
- Purpose & Capability
- okName/description describe forum operations and the SKILL.md contains guidance on moderation, content strategy, interaction and monitoring — all aligned with a Tieba operations assistant. The skill requests no unrelated binaries, credentials, or installs.
- Instruction Scope
- noteSKILL.md is high-level best-practice guidance (moderation steps, evidence collection, bot configuration suggestions). It does not include commands to access local files, call external APIs, or exfiltrate data. Note: suggestions like "截图留证" (take screenshots/collect evidence) and configuring an automatic delete bot imply actions a human or separate tooling would perform; if the agent is allowed to act autonomously you should control what live actions it may take.
- Install Mechanism
- okNo install spec and no code files — instruction-only skills present minimal installation risk because nothing is downloaded or written to disk.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths. There is no request for unrelated secrets or system access.
- Persistence & Privilege
- okalways is false and the skill does not request persistent/system-level privileges or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other red flags here.