Skillv0.1.0

ClawScan security

Eywa · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 2:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: Eywa's stated purpose (agent coordination) matches its behavior, but the skill directs agents to send arbitrary structured logs to a third‑party MCP endpoint (no auth) and has minor metadata/instruction mismatches that merit caution.
Guidance: Eywa appears to implement a coordination layer as described, but ask yourself: Do you trust the remote MCP endpoint (default: eywa-mcp.armandsumo.workers.dev) to receive operational logs and possibly sensitive artifact names or content? Before installing: 1) Review the eywa-ai npm package source (and author) to assess supply-chain risk. 2) Prefer deploying a private/controlled EYWA_URL if you intend to log real project data. 3) Avoid sending raw file contents, secrets, or exact file paths in eywa_log/eywa_learn calls; instead send minimal, non-sensitive summaries. 4) Note the SKILL.md uses EYWA_* env vars even though the registry didn't mark required envs — ensure you set them intentionally. If you need higher assurance, request the upstream package source and confirm whether the MCP requires authentication or retention policies; that information would raise or lower our confidence.

Review Dimensions

Purpose & Capability: noteThe name/description (multi-agent coordination, shared memory) align with the included helper script and an eywa CLI install. Requiring a network tool (curl/wget) and a node package (eywa-ai) is consistent with that purpose. However, the SKILL.md declares EYWA_* environment variables (EYWA_URL, EYWA_ROOM, EYWA_AGENT) while the registry metadata lists no required env — this metadata mismatch is a coherence issue that could confuse users about what must be configured.
Instruction Scope: concernRuntime instructions tell the agent to call eywa-call.sh, which will POST arbitrary JSON (tool name + arguments) to an external MCP endpoint. The SKILL.md explicitly encourages logging filesystem operations and other actions so other agents can continue work; while the script doesn't itself read local files, the instructions encourage agents to send structured summaries that may include file paths, artifact names, or even copied content. That gives an easy vector for sensitive data to be transmitted to the third‑party endpoint.
Install Mechanism: noteInstall uses an npm package (eywa-ai) and produces an eywa binary. npm installs are a common moderate-risk supply-chain vector (packages should be reviewed), but there's no direct evidence of a download-from-untrusted-URL or archive extraction. The provided helper script is small and readable. Consider reviewing the eywa-ai package source before installing.
Credentials: concernThe skill relies on EYWA_URL/ROOM/AGENT environment variables (documented in SKILL.md) but the registry metadata lists no required env vars — an inconsistency. No authentication tokens are requested or documented, so calls go to the endpoint unauthenticated by default; combined with the instruction set that encourages logging operations, this creates a realistic risk of unintentionally sending sensitive data to an external service.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-level privileges or configuration changes. Installing an npm binary and providing a helper shell script is normal and limited in scope.