Orchestrates humanizer, de-ai-ify, copywriting, and tweet-writer to create authentic, persuasive, platform-tailored content with clear engagement and factual...
Security Analysis
medium confidenceInstructions, requirements, and requested actions align with a meta content-orchestration skill; the only notable risk is that it instructs use of npx to fetch and run other skills (networked code execution), so review upstream packages before installing.
The skill is a meta-orchestrator that coordinates four writing/editing sub-skills. Requiring node and npx is coherent because the SKILL.md explicitly instructs using npx to install those upstream skills. No unrelated credentials, binaries, or config paths are requested.
SKILL.md stays on-topic: it collects user inputs, prescribes a five-stage editing pipeline, and invokes named upstream skills. It does not ask to read local files, system config, or any unrelated environment variables. However, the instructions do require running network install commands (npx clawhub@latest ...) which will fetch and execute remote code.
There is no formal install spec in the package, but the runtime instructions tell the operator to run npx -y clawhub@latest install <skill> and npx update --all. npx performs on-demand network fetch and executes code from the npm/registry namespace (clawhub and the listed skills). This is a common mechanism but carries moderate risk: remote code execution and supply-chain changes if the remote package changes. Consider pinning versions and auditing the clawhub and upstream skill packages before running them.
The skill declares no required environment variables or credentials, which matches its content-creation purpose. Note: the upstream skills it installs could themselves request credentials or env vars; the SKILL.md notes an optional analyzer (ai-humanizer) — check those upstream manifests for any additional secrets.
No elevated persistence requested: always is false, disable-model-invocation is false (normal), and there are no config paths or system-wide modifications declared. The skill does instruct installing other skills locally, but that is not the same as requesting persistent platform privileges.
Guidance
This skill appears coherent for orchestrating writing-editing sub-skills, but it relies on running npx commands that will fetch and execute remote packages (clawhub and the listed skills). Before installing or running: 1) Inspect and pin the versions of clawhub and each upstream skill (avoid always using @latest). 2) Review the upstream skills' manifests/readmes for any requested env vars or network endpoints. 3) If possible, run installations in an isolated environment (container or VM) rather than on a sensitive host. 4) Verify the reputation/source of the clawhub package and the listed upstream skills (owner, package contents). These steps reduce supply-chain risk from remote install/update commands.
Latest Release
v1.0.0
**Major update: Overhauled from a content marketing suite to a focused meta-skill for humanized, platform-appropriate copywriting.** - Replaces previous brand voice/SEO/social post toolkit with a meta-skill that orchestrates multiple purpose-specific copywriting and "humanization" tools. - New pipeline: drafts persuasive content, then applies anti-AI-pattern editing, conversational voice shaping, copywriting structures, and formats results for LinkedIn and X. - Requires local installation of separate `humanizer`, `de-ai-ify`, `copywriting`, and `tweet-writer` skills. - Ensures every output includes: final LinkedIn post, voice edit summary, persuasion framework info, 5-part X thread, and variant hooks/CTAs. - Strict rules for authenticity, specificity, natural rhythm, and platform fit; explicit guardrails against fabrication or manipulative tactics. - Old templates, frameworks, and reference scripts removed; now only coordinates installed upstream skills.
More by @h4gen
Published by @h4gen on ClawHub
