Back to skill
Skillv1.0.5
ClawScan security
SkillGuard Hardened · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 6:56 PM
- Verdict
- Benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- SkillGuard's code and runtime requirements line up with its stated purpose as a high‑privilege skill-auditor, but there are a few implementation details and external hosts you should verify before trusting it in production.
- Guidance
- SkillGuard is broadly coherent: it legitimately needs python3 and an AI key, and the code implements scanning, AI-based intent checks, reporting, and quarantining. Before installing: 1) Verify the Zenmux provider and limit the privileges of the ZENMUX_API_KEY (use a scoped key if possible). 2) Inspect guarded_flow.py and manage_skill.py to confirm they enforce the --force/--yes delete confirmations and do not blindly execute remote content fetched via npx/curl/wget. 3) Validate the remote-update hosts (moltbook.com and fluxapay.xyz); confirm they are official/trusted sources for policy/manifest updates or remove/unconfigure remote updates. 4) Confirm the configured allowed_roots/quarantine/report directories map to a workspace you control (avoid unexpected absolute paths like /root/clawd unless that is intended). 5) Run the skill in an isolated test environment first and review logs/reports to ensure remediation actions behave as described. If you are concerned about autonomous invocation, do not grant the agent permission to call this skill automatically until you have tested it.
- Findings
[ignore-previous-instructions] expected: A prompt-injection phrase was detected in SKILL.md. Given this project is explicitly scanning for prompt-injection and documents examples, the presence of such text is likely illustrative/test content rather than an attempt to hijack the evaluator, but you should still inspect the exact occurrences to confirm they're only examples or detection rules.
Review Dimensions
- Purpose & Capability
- noteName/description claim a skill-auditor and the package contains static analysis, AI-audit, reporting, and remediation code that matches that purpose. Requiring python3 and a Zenmux API key is coherent. Minor oddities: SKILL.md mentions remote updates from moltbook.com and fluxapay.xyz (fluxapay.xyz is an unexpected host for a guard tool) and the human-readable SKILL.md documents an absolute default report path (/root/clawd/...) that doesn't match the policy placeholders used by the code (which render paths from the workspace). These should be verified but do not by themselves contradict the stated purpose.
- Instruction Scope
- noteSKILL.md and the scripts direct the agent to scan skill directories, run guarded execution wrappers, and perform quarantine/restore/delete actions — all within the declared purpose. The instructions include commands that fetch or install skills (npx-add, moltbook-install) and a guarded exec wrapper that will invoke untrusted code via subprocess; this is expected for an install-gate but expands the skill's runtime surface (network fetch + executing wrapped binaries). Confirm the guarded execution flow does not blindly execute remote content without verification.
- Install Mechanism
- okThere is no external install spec (instruction-only install behavior); the package contains Python scripts and no download/install step is required by the skill itself. This is the lower-risk model for a code-included skill.
- Credentials
- okOnly ZENMUX_API_KEY (and optional model override envs) are required for AI auditing. The code reads a few alternate env var names as fallbacks and optional model/base-url overrides. That level of credential access is proportional to an AI-backed auditing tool; there are no unrelated cloud credentials requested.
- Persistence & Privilege
- noteThe skill modifies filesystem state (move to quarantine, delete with shutil.rmtree, write reports/audit logs). Those privileges are necessary for remediation but are high-impact. The policy enforces allowed roots and the code asserts operations stay within those allowed roots, which mitigates risk — still, deletion is possible and must be guarded by the operator flags described in SKILL.md.