Back to skill
Skillv1.0.0
ClawScan security
sales-intelligence-outreach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 26, 2026, 7:41 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's described end-to-end posting and scraping capabilities rely on other named skills and platform credentials, but this instruction-only bundle does not declare required credentials or provenance for those components — an incoherence that merits caution.
- Guidance
- This skill is an orchestration recipe that delegates scraping and posting to other named skills (Agent-Reach, nano-banana-pro, xiaohongshu-mcp, 公众号助手). Before installing or using it: 1) Ask where those sub-skills come from and inspect their source, install specs, and required credentials — those are the components that will actually access accounts and network resources. 2) Do not provide sensitive credentials until you verify how they are stored and used; prefer temporary/sandbox accounts for testing. 3) Confirm compliance with platform terms and local privacy laws for scraping and unsolicited outreach. 4) Test in a controlled environment to see what prompts or credential requests appear at runtime. 5) If you expect automatic posting, require explicit runtime confirmation for each publish action to avoid unintended broadcasts. If you cannot verify the provenance of the referenced sub-skills or how credentials are handled, treat this skill as potentially risky.
- Findings
[NO_SCAN_FINDINGS] expected: No code files present; regex-based scanner had nothing to analyze. For instruction-only skills this is expected, but it means behavioral risk must be judged from SKILL.md and referenced external skills.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md claims full pipeline abilities (search/scrape LinkedIn/Weibo/小红书, generate images, and publish to accounts). Those actions normally require API keys, account credentials, or browser automation tooling. The package declares no required env vars, credentials, binaries, or install steps and has no source/homepage; this mismatch between claimed capabilities and declared requirements is suspicious.
- Instruction Scope
- noteThe instructions stay within the advertised sales-intelligence/outreach scope (search, analyze, generate content, publish). They do not instruct reading local files or exfiltrating arbitrary system data. However they are high-level and delegate key actions to other named skills (Agent-Reach, nano-banana-pro, xiaohongshu-mcp, 公众号助手) without specifying how credentials/access are obtained, validated, or limited — leaving runtime behavior ambiguous.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. Nothing is written to disk by this package itself, so install risk from bundled code is low. Actual runtime risk depends on the other skills it orchestrates.
- Credentials
- concernThe workflow requires posting to multiple platforms and scraping third-party sites, which in practice requires credentials or tokens (API keys, account logins) and possibly third-party service configuration. The skill declares no required environment variables or primary credential. This omission is a proportionality/information gap: either required secrets will be requested at runtime by other skills, or the orchestration assumes implicitly present credentials — both are potential security surprises for users.
- Persistence & Privilege
- okalways:false and no install; the skill does not request persistent/system-wide privileges itself. Autonomous invocation is allowed (platform default) — note: if other installed skills have autonomous posting capabilities, combined behavior could have greater impact, but that is not inherent to this instruction-only bundle.