Skillv0.1.3

ClawScan security

Git-Map · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 12:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (Git-like ops for ArcGIS) is coherent, but there are multiple security and metadata inconsistencies you should understand before installing (exposed local HTTP API with permissive CORS, insecure handling of passwords via CLI flags/process args, and a mismatch between declared and required environment variables).
Guidance: This skill appears to do what it claims (Git-like operations for ArcGIS), but there are a few practical risks to weigh before installing or running it: - Metadata mismatch: the registry lists no required environment variables, but the code and SKILL.md require PORTAL_URL, ARCGIS_USERNAME and ARCGIS_PASSWORD (or a scoped token). Treat that as an honest mismatch but verify you are comfortable providing these credentials. - Secrets handling: the tool may pass passwords as CLI flags ("--password"), which can expose them to other local users via process listings. Prefer using scoped API tokens, avoid plaintext passwords, and run this in an isolated environment (dedicated VM or container) if possible. - Local HTTP server + permissive CORS: server.py starts a localhost HTTP API and sets Access-Control-Allow-Origin: '*'. If you run the server, web pages in your browser could make requests to it (cross-origin) and trigger actions that use the stored credentials. If you must run the server, consider removing/limiting the CORS wildcard and only calling the server from trusted contexts. - Package provenance: SKILL.md recommends pip install gitmap-core. Before installing, review the gitmap-core package source (the SKILL.md links a GitHub URL; verify that matches the package on PyPI) and install in a virtual environment. - Least privilege: only provide the minimum credentials needed (scoped tokens over full passwords), and avoid setting credentials globally in your system environment; consider runtime injection or a secrets manager. Given these issues, proceed cautiously: verify the upstream gitmap-core project, prefer tokens, avoid running the server with the default CORS settings, or use the CLI directly rather than exposing a local HTTP API.

Review Dimensions

Purpose & Capability: noteThe name, description, and code match: this is a thin wrapper around a gitmap CLI / gitmap_core library to manage ArcGIS web maps. Requesting ArcGIS portal credentials and a working-directory makes sense for this purpose. However, the registry metadata claims no required environment variables while SKILL.md and the code clearly expect PORTAL_URL, ARCGIS_USERNAME and ARCGIS_PASSWORD (or tokens) — that's an inconsistency between declared metadata and actual requirements.
Instruction Scope: concernSKILL.md instructs the agent/user to set portal credentials and to install gitmap-core — expected. But the skill runs a local HTTP server (server.py) exposing endpoints that will call tool functions and it sets Access-Control-Allow-Origin: '*' (CORS wildcard). That combination allows any web page the user visits (or an attacker controlling a local browser context) to make cross-origin requests to the local server and trigger tool actions that may use environment credentials. The server also accepts username/password overrides in JSON body and the tools will use environment variables when present. This broad runtime discretion (accepting arbitrary cwd, portal_url, username, password via the API) increases the attack surface beyond the simple CLI wrapper description.
Install Mechanism: noteThere is no install spec in the registry (instruction-only), and the SKILL.md asks users to pip install gitmap-core. No third-party download URLs or archive extraction are used by the skill files themselves. The install requirement (pip install gitmap-core) is expected for a Python wrapper, but you should verify the origin and trustworthiness of the gitmap-core package before installing.
Credentials: concernThe skill requires portal credentials to function, which is reasonable for ArcGIS access — but the code passes passwords via CLI flags (--password) when calling the gitmap CLI. Command-line arguments can be visible to other local users via process listings and to tooling that captures process args, so passing secrets this way is insecure. Additionally, the subprocess invocations copy the entire os.environ into the child, potentially exposing unrelated environment variables to subprocesses. Finally, the registry claims no required env vars while the runtime depends on PORTAL_URL, ARCGIS_USERNAME, and ARCGIS_PASSWORD (or tokens).
Persistence & Privilege: okThe skill is not marked always:true, does not modify other skills, and only runs a local HTTP server bound to localhost. It does not request system-wide persistence beyond running a process when executed. The server prints logs to stdout but does not alter system or agent config files.