Skillv1.0.0

ClawScan security

Developer Agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 9:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Instruction-only developer orchestration skill is mostly consistent with its stated purpose but contains several practical and privacy-related inconsistencies (notably forwarding all user attachments to Cursor and referencing runtime tools like git/pnpm without declaring them).
Guidance: This skill mostly does what it says (orchestrating development with Cursor and git), but there are gaps and privacy risks you should consider before enabling it: - Confirm where 'Cursor' runs and who/what can access data forwarded to it. The skill instructs sending ALL user-provided links and attachments to Cursor — that can leak sensitive files or secrets if those attachments contain credentials or private data. - The SKILL.md instructs running git and pnpm commands, but the metadata declares no required binaries. Ensure the agent environment actually has git and pnpm available and that the agent is only given access to repositories you are comfortable sharing. - The rule 'Respect Cursor’s output — Never modify' prevents sanitization of Cursor-generated plans. If Cursor might echo secrets or sensitive file contents, you lose an opportunity to redact them. - If you plan to use this skill on private or sensitive codebases, test it first in a sandbox repository. Restrict the agent's repository access and avoid sending confidential attachments. - Ask the skill author (or registry maintainer) to: (1) declare required binaries (git, pnpm), (2) document where Cursor executions occur and who controls those models/hosts, and (3) clarify whether attachments are stored or relayed outside your environment. If the author can confirm Cursor is an internal, trusted component and update metadata to list required tools, the concerns become minor. Without that info, treat this as potentially exposing sensitive artifacts and proceed cautiously.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (developer orchestration, git workflows, Cursor coordination) matches the instructions. However, it instructs use of runtime tools (git, pnpm) but declares no required binaries; that mismatch suggests either sloppy metadata or hidden requirements. Asking to include all user links/attachments when sending to Cursor is consistent with planning/implementation, but this broad forwarding should be explicit in metadata.
Instruction Scope: concernRuntime instructions direct the agent to 'explore the codebase thoroughly' and to send 'ALL user-provided links and attachments' to Cursor. That implies reading repository files and transmitting user attachments to another agent/model. The guidance 'Respect Cursor's output — Present Cursor's plan as-is. Never modify or restructure.' prevents the agent from sanitizing or redacting Cursor output before returning it to the user. These behaviors risk unintended exposure of sensitive files/attachments and remove an opportunity to sanitize outputs.
Install Mechanism: okNo install spec and no code files — lowest technical risk (nothing is written to disk by the skill). The instruction-only nature reduces supply-chain risk.
Credentials: okThe skill requests no environment variables, credentials, or config paths. Given the declared purpose, that is reasonable. Note however the instructions require networked coordination with Cursor and access to the codebase; those are runtime permissions rather than declared secrets.
Persistence & Privilege: okalways:false and no persistent install are appropriate. The skill allows normal autonomous invocation (platform default); combined with the instruction to forward attachments and code context to Cursor this raises the potential blast radius, but autonomous invocation on its own is expected and not flagged here.