Skillv1.0.0

ClawScan security

Adaptive Skill Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 3:15 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (help find/create skills) matches its instructions, but the SKILL.md tells an agent to read/write specific workspace paths and install/search internet hubs without declaring those access needs — this mismatch and the hard-coded path warrant caution.
Guidance: This skill is a procedural guide for finding/creating other skills and is not itself downloading code, but it tells an agent to read and write skill directories and to search/install from the internet. Before installing or allowing autonomous use: 1) Confirm what filesystem and network permissions the agent runtime has (will it be able to create files under <workspace>/skills or D:\internal-hub\skills?). 2) Prevent automatic installation of third-party skills without human review (especially from external hubs). 3) Watch for the hard-coded Windows path (D:\internal-hub\skills) and adjust or remove it if you run a different OS or have different policies. 4) Require review of any generated SKILL.md, scripts, or assets before they are executed or installed system-wide. If you cannot or do not want the agent to create files or install packages automatically, restrict its file-write and network permissions or avoid enabling implicit/autonomous invocation for this skill.

Review Dimensions

Purpose & Capability: noteName and description align with the instructions: the skill is a process guide for discovering, installing, or creating skills. However, the guidance expects the agent to inspect workspace skill directories, shared extra-skill directories, and perform installs from ClawHub/the internet — capabilities that imply filesystem and network access even though no config paths, binaries, or credentials are declared.
Instruction Scope: concernSKILL.md explicitly tells the agent to read and create skills under specific filesystem paths (e.g., <workspace>/skills and a hard-coded Windows path D:\internal-hub\skills), search/install from ClawHub/the internet, and create new SKILL.md and potentially scripts. Those are concrete actions that involve reading/writing the filesystem and contacting external services but the skill does not declare or limit those accesses. The hard-coded D:\ path is platform-specific and unexpected. There are no explicit instructions to exfiltrate secrets, but the broad file-write instructions increase the attack surface if the agent generates or installs code without human review.
Install Mechanism: okThis is an instruction-only skill with no install spec and no bundled code. That is lower risk from an installation perspective because nothing is downloaded or written by a packaged installer.
Credentials: noteThe skill declares no required environment variables or credentials, which is reasonable for a guidance-only skill. But the runtime instructions assume network access and filesystem read/write permissions (including shared/central skill directories) that are not declared. The mismatch means the agent may attempt operations that require privileges or credentials not considered in the metadata.
Persistence & Privilege: notealways is false (good) and allow_implicit_invocation is true in the included agent policy (normal). The skill instructs creating and editing local skills, which will persist on disk if performed — that is expected for a factory-style skill but increases risk if the agent is allowed to autonomously create executable scripts or install third-party skill packages without approval.