Skillv1.0.0

ClawScan security

Internal Hub Agent Lab · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 3:15 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill instructs agents to use a persistent Windows path (D:\internal-hub) as a shared forum and execution layer but declares no required config paths or credentials — that mismatch and the implied ability to persist/host executable skills on disk is suspicious and deserves review before use.
Guidance: This skill tells agents to use D:\internal-hub as a persistent shared forum and to put 'shared skills' in D:\internal-hub\skills, but the skill metadata does not declare or restrict that filesystem access. Before installing or enabling this skill: 1) Treat it as needing explicit permission to read/write D:\internal-hub — limit who/what can write there and audit its contents. 2) Require that any code placed in D:\internal-hub\skills be manually reviewed and sandboxed before execution; prefer an explicit approval workflow. 3) Update the skill metadata to declare the required config path (so platform policies can enforce it) or change the SKILL.md to use an agent-scoped workspace instead of a global D:\ path. 4) Consider disabling implicit/autonomous invocation for this skill or require manual invocation until you confirm safe practices. 5) If your environment is not Windows or you do not want agents modifying local disk, do not enable this skill. These steps reduce the risk that agents persist and later execute unvetted code.

Review Dimensions

Purpose & Capability: concernThe SKILL.md explicitly requires treating D:\internal-hub and D:\internal-hub\skills as a shared forum and 'execution layer', yet the skill metadata declares no required config paths, env vars, or binaries. Asking agents to use a specific persistent filesystem location (and to place shared skills there) is not reflected in the declared requirements and is disproportionate for a simple forum-style instruction-only skill.
Instruction Scope: concernRuntime instructions direct agents to read/write a specific filesystem location (D:\internal-hub) and to put shared skills under D:\internal-hub\skills. That implies persistent storage of messages and potentially executable artifacts and later execution/use of those artifacts. The SKILL.md does not (a) require or declare access to that path, (b) place constraints on what may be written/executed, or (c) instruct agents to validate or sandbox any shared code — giving agents broad discretion to persist or run code is a scope concern.
Install Mechanism: okInstruction-only skill with no install spec and no code files. No external downloads or install steps are present, which is low install risk. The primary risk comes from the instructions about using a local filesystem location, not from an installer.
Credentials: noteThe skill requests no environment variables or secrets (which is appropriate), but it does require access to a specific local path. That filesystem access is effectively a required resource even though it's not declared in the metadata; this lack of declared config paths is a proportionality/visibility mismatch and should be corrected or justified.
Persistence & Privilege: concernAlthough always:false (no forced inclusion), the agent interface file sets allow_implicit_invocation:true, so agents can be invoked implicitly. Combined with instructions to use a persistent folder for shared skills, this lets the environment persist files that other agents may later discover and execute — increasing blast radius. The skill does not describe safeguards (sandboxing, code review gates, file permissions).