Skillv1.0.0

ClawScan security

Whiteboard Prompt Crafter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewApr 16, 2026, 4:03 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated goal (generate whiteboard-only images with no background) is reasonable and the skill is instruction-only, but its included reference templates contradict that core requirement and there are minor runtime/tooling ambiguities — these inconsistencies merit caution before installing.
Guidance: This skill mostly looks like what it says — it builds prompts and calls the image_synthesize tool — but the bundled reference templates contradict the 'no background' promise (they repeatedly mention office backgrounds, frames, trays, etc.). Before installing or using it: 1) ask the author to reconcile templates so prompts consistently force 'no background, tight crop' and to remove the 'always include' office-background lines; 2) test a few sample prompts to ensure generated images don't include unwanted backgrounds or metadata; 3) confirm how the platform's image_synthesize and message tools are authorized (Feishu channel sending may require platform-level permissions) so you understand where generated images will be sent; 4) if you rely on whiteboard-only images for IP/privacy reasons, review outputs carefully because contradictory templates increase the chance of leaking contextual/office background details. If the author provides a corrected SKILL.md (or clarifies that the reference templates are optional and will not be used when 'no background' is requested), confidence would increase.

Review Dimensions

Purpose & Capability: noteThe skill claims to expand short keywords into whiteboard-image prompts and call image_synthesize to produce images — that matches the SKILL.md instructions. However, many templates in references/prompt-library.md and the 'always include' block in references/icon-guide.md explicitly request office backgrounds, frames, trays, and overhead angles, which directly contradict the skill's stated core characteristic ('only whiteboard, no background, whiteboard fills the frame'). This incoherence between the declared purpose and the included prompt templates is notable.
Instruction Scope: concernThe runtime instructions tell the agent to assemble English prompts, call image_synthesize(...), save to /workspace/[...].png and send the file with message tool (channel=feishu). Those steps are within the expected scope, but SKILL.md and the reference templates contain conflicting guidance about backgrounds and framing that could cause the agent to produce images with unintended backgrounds. The instructions also reference tools (image_synthesize, message) and a platform-specific path and channel without documenting required permissions or credentials — this is ambiguous but not necessarily malicious.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by the skill itself beyond the described /workspace output path for generated images.
Credentials: okNo environment variables, credentials, or config paths are requested. The skill does reference sending messages via a channel (feishu) and writing to /workspace, but it does not request tokens or unrelated credentials in its metadata.
Persistence & Privilege: okalways is false and there are no installation scripts or claims of modifying other skills or system settings. The skill does not request persistent presence or elevated privileges.