Skillv1.0.0

ClawScan security

Compliance Evidence Assembler · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 16, 2026, 5:59 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and local Python script are coherent with its stated purpose (assembling audit evidence and doing directory-based reviews); it is an instruction-first, local-only tool and does not request credentials or perform network calls.
Guidance: This skill appears coherent and local-only, but take these precautions before use: (1) Review scripts/run.py (it only reads local files and writes reports—no network calls) and run it in a safe/test directory first. (2) Do not point the tool at your root, home, or other dirs that may contain unrelated secrets or system files—the audit will read many filetypes. (3) Use --dry-run or run with sample/example-input.md to verify output format. (4) Keep sensitive inputs redacted before scanning. (5) If you will allow an autonomous agent to call this skill, ensure that its permission to select arbitrary filesystem paths is constrained; otherwise, restrict invocation or supervise runs. Overall the skill is consistent with its described purpose.
Findings: [curl_pipe_bash] expected: scripts/run.py includes a regex to detect 'curl | bash' patterns in scanned files — expected for a pattern-audit feature that looks for risky constructs. [dangerous_rm] expected: The script searches for 'rm -rf' patterns when scanning targets; this is appropriate for highlighting dangerous commands in audit material. [base64_exec] expected: The pattern detecting base64 decoding piped to execution is present so that the audit can flag obfuscated exec constructs in scanned files—consistent with a compliance scanner. [secret_like] expected: The script detects secret-like assignments (api_key, token, secret, password) and partially redacts them in reports. This is useful and expected for evidence review; however, it still reads files that may contain secrets if the user points the tool at sensitive locations. [private_url] expected: Detection of private/internal URL patterns is reasonable for an audit/pattern scanner to flag exposure of internal endpoints.

Review Dimensions

Purpose & Capability: okName/description (evidence assembly, audit workflows) match the included resources and the Python script: spec.json declares mode 'directory_audit', SKILL.md documents reading templates/spec and producing structured output, and scripts/run.py implements directory/csv/pattern/skill audits. Required binaries (python3) are proportional.
Instruction Scope: noteSKILL.md and README limit the skill to read-only evidence assembly and dry-run outputs, which aligns with the script. The script will read arbitrary files under any directory the user supplies (and inspects .md, .py, .sh, .json, .csv, etc.), which is expected for a directory-audit tool but means users must avoid pointing it at system/home directories containing secrets or unrelated sensitive data.
Install Mechanism: okNo install spec; this is an instruction-first skill with a local Python script that depends only on the standard library. No remote downloads, package installs, or archive extraction are present.
Credentials: okThe skill requires no environment variables, no credentials, and no config paths. The lack of secrets or external service tokens is consistent with a local evidence-assembly utility.
Persistence & Privilege: okalways is false and the skill does not request persistent privileges. It does not modify other skills or system-wide agent settings. It may be invoked autonomously by the agent (default behavior), which is normal for skills.