Skillv1.0.1

ClawScan security

Skulk Skill Scanner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 20, 2026, 12:02 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent: it is a static, instruction-only skill that includes a JavaScript static scanner consistent with its name and description and does not request unrelated credentials or install external software.
Guidance: This scanner appears to be what it claims: a static pattern-based skill scanner. Before trusting its results, run it in a sandbox or on a copy of the skill directory (not on system roots), and: (1) run it with --include-self to self-audit the scanner; (2) manually review any FAIL/WARN findings (static checks produce false positives and false negatives); (3) inspect and if needed customize SAFE_DOMAINS to match your environment; (4) remember it is static-only — it cannot detect runtime-generated exfiltration or sophisticated obfuscation, so follow up with manual review and, for high-risk skills, runtime monitoring in an isolated environment prior to granting sensitive credentials or deployment.

Review Dimensions

Purpose & Capability: okName, description, SKILL.md usage, and the included scripts/scanner.js are consistent: the tool is a static analyzer for skill folders and does only file-reading and pattern-matching. It does not request unrelated credentials, binaries, or system privileges.
Instruction Scope: noteSKILL.md limits runtime actions to running node scripts/scanner.js against a skill folder and describes the scanner's detection categories. This stays within the stated purpose. One design note: the scanner defaults to ignoring its own scripts (shouldIgnore excludes scripts/scanner.js unless --include-self is used), which reduces self-noise but can hide issues in the scanner itself unless the user intentionally self-scans.
Install Mechanism: okThere is no install spec and no downloads; the skill is instruction-only with a bundled script. Nothing writes new binaries or pulls external code during install — lowest-risk install model.
Credentials: noteThe skill requires no environment variables or external credentials. The scanner looks for environment-variable usage patterns in target skills (e.g., process.env) but does not itself read the host environment. The hardcoded SAFE_DOMAINS allowlist is a policy choice — it can cause false negatives for otherwise benign domains or false negatives for suspicious domains if the list is overly permissive; changing it requires editing the script.
Persistence & Privilege: okThe skill does not request persistent presence (always:false) and does not modify other skills or agent configuration. It runs when invoked by the user and has no autonomous background behavior.