Skillv0.1.9

ClawScan security

Plan I · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 11:11 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (create a new planning file and write an initial draft) aligns with its files, but there are notable safety/usability inconsistencies — chiefly lack of input sanitization for the plan name (file path risks) and an ambiguous model-invocation setting versus the requirement to generate content before responding.
Guidance: This skill mostly does what it says: it creates a new planning markdown and expects the agent to write an initial draft into that file. Before installing or using it, consider the following: - Input sanitization risk: pl-init.sh uses the raw plan name to construct the filename. A malicious or malformed plan name (containing ../ or other special characters) could cause unexpected file paths; the script does not sanitize or validate names. Prefer rejecting names with slashes, dots, or shell metacharacters or update the script to sanitize/normalize the name. - Immediate write behavior: the skill mandates writing the user's draft to disk before responding. Ensure you are comfortable with the agent persisting the user's input and any derived content without an additional confirmation step. - Ambiguous disable-model-invocation flag: SKILL.md includes disable-model-invocation: true while the instructions require generating content from user input. Verify how your platform treats this flag — it might block the model-based generation the skill expects. - Safe scope: the script does not contact the network and checks for existing files before creating a new one (it aborts on conflict), which is good. Still, review the script and run it in a safe environment first (or patch it to sanitize names) if you plan to use it on sensitive systems. If you need to proceed: (a) patch pl-init.sh to validate/sanitize plan names (e.g., allow only [a-z0-9-]), (b) confirm platform behavior for disable-model-invocation, and (c) optionally add an explicit consent/confirmation step before persisting sensitive content.

Review Dimensions

Purpose & Capability: okName and description (start a planning process and create a planning file) match the included script and instructions. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: concernSKILL.md instructs the agent to (1) run the included pl-init.sh to create a new file and (2) immediately write a generated initial planning draft to that file before outputting to the user. The script creates a template file but does not implement the agent's 'write the draft' step — the agent will need to perform the write itself. The instructions also enforce 'do not read existing planning files,' which is fine, but the requirement to write user-generated content to disk immediately (without an explicit confirmation step) is a privacy/consent consideration. Additionally, SKILL.md includes disable-model-invocation: true which is ambiguous relative to the requirement to analyze input and produce text to be written — if this flag prevents the model from being used in the way the author expects, execution may fail or be inconsistent.
Install Mechanism: okNo install spec; the skill is instruction-only with one included shell script. No remote downloads or external installs are performed.
Credentials: okNo environment variables, credentials, or external config paths are requested. The script operates on a local 'plans' directory and does not contact external services.
Persistence & Privilege: noteThe skill is not 'always' enabled and does not request elevated platform privileges. It does create files under a 'plans' directory relative to the working directory; this is expected for the stated purpose but still grants the skill the ability to write persistent files to disk.