Skillv1.0.0

ClawScan security

Twitter Image Generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 3:00 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and runtime instructions are coherent with its stated purpose (generating Twitter/X images) and nothing in the package requests unrelated credentials, installs, or file access.
Guidance: This skill appears internally consistent for generating Twitter/X images, but before enabling it you should: 1) Confirm how the platform resolves the generate_image/list_templates/etc. calls (which remote service is contacted and where credentials are stored). If Rendshot requires an API key, ensure it is provided via the platform's integration settings, not pasted into prompts. 2) Avoid sending sensitive or private data in image-generation prompts (prompts are typically sent to a remote service). 3) Ask the skill author or platform operator for the Rendshot service endpoint and privacy/retention policy if you need to know how created images and template HTML are stored and who can access them. 4) If you want to prevent autonomous use, consider disabling the skill's autonomous invocation in your agent settings (the skill itself is not marked always:true, but agent autonomy is platform-default). If you need provenance for auditing, request the author's homepage or source repository (none provided).

Review Dimensions

Purpose & Capability: okName/description match the behavior in SKILL.md: the instructions focus on creating Twitter/X post images, thread headers, link preview cards, and templates. The included reference docs (algorithm, design, templates) support that purpose. The skill does not request unrelated binaries, env vars, or config paths.
Instruction Scope: okRuntime instructions are limited to: asking clarifying questions, consulting the included reference files, selecting templates, and calling image-generation helpers (generate_image, list_templates, get_template, create_template). The instructions do not direct the agent to read arbitrary files, system config, or unrelated environment variables, nor to exfiltrate data to ad-hoc endpoints.
Install Mechanism: okNo install spec and no code files — this is instruction-only, so nothing is written to disk or fetched at install time. This is the lowest-risk install model.
Credentials: noteThe skill declares no required env vars or credentials, which is consistent with the package. However, SKILL.md uses functions named generate_image/list_templates/get_template/create_template (Rendshot API calls implied) but does not state how or where Rendshot credentials/config are provided. Verify on your platform whether a Rendshot integration requires an API key or workspace credential and where that is configured.
Persistence & Privilege: okalways:false and the skill does not request persistent presence or modify other skills' settings. It only describes creating templates (create_template) which appears to be within the skill's own domain.