Skillv0.1.0

ClawScan security

Council · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 7, 2026, 3:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Skill's purpose and instructions are coherent, but the included persona files grant broad local shell and network capabilities to spawned subagents without explicit limits — this raises data-exposure and execution risk and deserves caution before installing.
Guidance: This skill appears to implement what it claims (a multi‑persona deliberation council), but it grants each persona powerful tools (shell access, file read/glob, and web fetch/search) that are not explicitly limited by the SKILL.md. Before installing: 1) Inspect install.sh and do not run it until you confirm it only copies files into ~/.claude and does nothing unexpected. 2) Review each agents/council-*.md file: the 'tools' lines (Bash, Read, Glob, WebFetch, WebSearch) are the key risk — consider removing or restricting Bash/Read/Glob if you don't want subagents to access local files. 3) If possible, run the skill in a sandboxed account or VM where it cannot access sensitive files or credentials. 4) If you must install to your main environment, consider editing the agent files to remove network (WebFetch) or shell (Bash) tools so they can only reason over the included persona definitions. 5) Watch for any unexpected outbound network activity while running the skill. If you want, I can (a) list exact lines to search for in install.sh, (b) point out where to remove or alter 'tools' entries in the persona files, or (c) help craft a safer, restricted SKILL.md variant.

Review Dimensions

Purpose & Capability: noteThe name/description (a multi-persona 'council') match the included SKILL.md and the 11 persona files. Having subagents for different personas is consistent with the stated goal. However, every persona file declares tools like Read, Grep, Glob, Bash, WebSearch, and WebFetch — capabilities that go beyond pure in-memory reasoning. Those tools are plausible for personas that cite 'read' or 'search' behavior, but they are broader than a minimal deliberation skill (they allow arbitrary file reads and shell commands). This is not necessarily malicious, but it is more privilege than the description implies.
Instruction Scope: concernRuntime instructions explicitly tell the coordinator to spawn subagents and to have each member 'Read your agent definition at ~/.claude/agents/council-{name}.md'. The protocol otherwise leaves subagents free to use their declared tools in Round 1–3. The SKILL.md does not restrict those tools' use to only the agent files, so subagents could (through Bash/Read/Grep/Glob) access arbitrary filesystem paths and (through WebFetch/WebSearch) external network resources. The instructions therefore permit actions that could expose local files or transmit data externally, which is scope creep relative to a simple deliberation assistant.
Install Mechanism: okNo install spec from an external URL is present; installation is instruction-only plus an included install.sh and copy instructions. The README instructs copying agents into ~/.claude/agents/ and SKILL.md into ~/.claude/skills/. That is a normal, low-risk install pattern for a local agent skill. The actual install.sh content was not provided for review here; if it performs only the copy operations shown in README, risk is low. If it runs other commands, that would need review.
Credentials: concernThe skill declares no required env vars or credentials, which matches its purpose. However, the persona files grant tools (Bash, Read, Glob, WebFetch) that can be used to read environment variables or local credentials from disk at runtime even though none are requested. Because the SKILL.md does not constrain the tools' use, the effective permissions are larger than declared — a proportionality mismatch that increases exposure of secrets on the host.
Persistence & Privilege: noteThe skill is not 'always: true' and is user-invocable only, which is reasonable. Installation copies files into ~/.claude/agents and ~/.claude/skills — this creates a persistent presence in the user's Claude environment (normal for local skills). There is an install.sh included; its actions should be inspected before running. The skill does not declare modifying other skills or global config, but the copy into ~/.claude is a local persistent change.