Skillv1.0.0

ClawScan security

tokamak-vault-breach · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 26, 2026, 7:21 PM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions coherently describe how to attack a remote AI vault (API discovery, prompt injection, file reads) and require no installs or credentials, but they explicitly guide exfiltration and social-engineering tactics against an external service of unknown provenance — a high-risk use case that warrants caution.
Guidance: This skill is an instruction-playbook for actively trying to extract secrets from a remote AI agent. That makes it high-risk even though it has no install or credential requests. Before installing or using it: 1) Confirm you have explicit authorization to test the listed URL/target (unauthorized access may be illegal). 2) Do not provide your own credentials or private keys to the skill or the remote dashboard. 3) Prefer to run any interactions in an isolated/sandboxed environment and avoid enabling autonomous, unsupervised runs. 4) Verify the dashboard URL and community links independently (they could be malicious or phishing). 5) If you cannot verify the source/owner or the legality of the challenge, do not proceed — treat this as potentially abusive guidance rather than a benign utility.

Review Dimensions

Purpose & Capability: okThe name/description match the instructions: this is an instruction-only CTF/playbook for extracting a secret seed from a remote AI agent. There are no unrelated required binaries, env vars, or installs, so the declared capabilities align with the stated purpose.
Instruction Scope: concernThe SKILL.md explicitly instructs the agent to perform social engineering, prompt-injection, and file-system exfiltration (e.g., attempt to read /vault.key) via the target's chat API. It gives open-ended guidance to probe the agent and 'bypass' protections, which grants broad discretion and encourages sensitive-data extraction. While coherent with a CTF objective, these actions are high-risk and can be used for unauthorized access; the instructions do not constrain or limit potentially abusive behavior.
Install Mechanism: okNo install specification or code files are provided; the skill is instruction-only. This minimizes disk/execution risk from the skill bundle itself.
Credentials: okThe skill requests no environment variables, credentials, or config paths, which is proportionate to an instruction-only guide. Note: although the skill doesn't request your secrets, it instructs the agent to attempt to extract secrets from a remote agent and to interact with external endpoints, so the interaction could induce credential exposure if misused.
Persistence & Privilege: okThe skill does not request always:true or other elevated installation privileges. Model invocation is allowed (default), which is normal; however, because the instructions encourage exfiltration techniques, allowing autonomous invocation could increase risk if the agent is permitted to act without supervision.