Back to skill
Skillv1.0.3
ClawScan security
铜锣湾神婆打小人 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 15, 2026, 11:52 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent as a ritual-chant generator, but it tries to force invocation and to bypass the model's own reply/safety checks while producing targeted, potentially harassing content with no filtering — proceed with caution.
- Guidance
- This skill is functionally what it says (a local ritual-chant generator) but it includes two risky elements: (1) instructions that force the platform to always invoke the skill and to output the script's text verbatim, preventing the model from applying its usual safety checks; and (2) templates that target named individuals with insulting/abusive language and contain no filtering or safeguards. Before installing, consider: ensure the platform will not allow the skill to override global invocation/safety rules; require moderation/sanitization (e.g., prohibit real-person names, disallow requests targeting private individuals, or force anonymization); disable autonomous invocation or require explicit user consent each time; and confirm that marketplace/platform policies allow generation of this kind of targeted, abusive content. If you lack control over those mitigations, avoid installing or running this skill.
Review Dimensions
- Purpose & Capability
- okName/description match the actual code and instructions: the SKILL.md describes generating Cantonese '打小人' ritual chants and the included Python script implements four templates and parameter extraction. No unrelated binaries, env vars, or install steps are requested.
- Instruction Scope
- concernSKILL.md requires the agent to always call this skill when the keyword appears, to read references/sources.md, execute the provided script with the full user input, and to output the script's result verbatim (forbidding the model from modifying or sanitizing it). That workflow effectively prevents the model from applying its normal safety/filtering logic. The generated templates are explicitly targeted at named individuals (target_name) and contain insulting/abusive language; the script does not perform any safety checks, sanitization, or legality filtering of the target. This combination creates a real risk of enabling harassment or targeted abusive content.
- Install Mechanism
- okNo install spec and no remote downloads; the skill is instruction-only plus a local Python script. No network endpoints or external package installs are present in the files reviewed.
- Credentials
- okThe skill requests no credentials, no config paths, and no OS binaries. The local script reads only references/sources.md and local files; there are no access requests disproportionate to its described purpose.
- Persistence & Privilege
- concernAlthough registry flags show always:false, the SKILL.md includes a 'priority: 999' and explicit mandatory trigger logic ('must be 100% invoked when keyword appears, forbid model direct reply'), attempting to force high-priority invocation and to override normal model fallback. That directive conflicts with the declared registry flags and aims to elevate the skill's runtime authority and bypass model-level safeguards — a notable red flag.