Back to skill
Skillv1.3.0
ClawScan security
SkillMetricScraper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 2, 2026, 9:04 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it says (fetch ClawHub, rank, generate scripts), but its runtime requirements and instructions are inconsistent and it can access extra credentials (via the gh CLI) and system resources that are not declared — review before installing.
- Guidance
- This skill appears to implement the described ClawHub snapshot → rank → harvest → script pipeline, but there are several mismatches and implicit behaviors you should review before installing: 1) Check requirements.txt and inspect third-party packages before running pip install; run installs in an isolated environment (virtualenv/container). 2) The project_tracker uses the 'gh' CLI (subprocess.run) and will use whatever GitHub credentials the host's gh CLI provides — if you don't want the skill to access your GitHub account, avoid installing or run with --skip-meta / remove project_tracker. 3) If you care about limiting network exposure, run with flags to skip X/Twitter and GitHub capture (e.g., --skip-x, --snapshot-only) and test in --mock mode first. 4) Only provide ANTHROPIC_API_KEY (and any other API keys) with least privilege and consider using ephemeral/test keys. 5) Review where the DB and output files are written (default: ~/.local/share/skills-weekly or container workspace) and ensure that path is acceptable. If you need this skill, prefer running it in a dedicated container or VM and inspect/lock down any CLI tools (gh) or credentials on the host.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose (ClawHub discovery, ranking, script generation) matches the code: discovery, ranking, harvesting, and Anthropic-based script generation are implemented. However the declared registry metadata is incomplete: the package uses the GitHub CLI ('gh') via subprocess in project_tracker.py and expects pip packages (httpx, dotenv, etc.) but the registry 'required binaries' only lists python3 and there is no install spec. That mismatch between declared requirements and actual dependencies is an incoherence.
- Instruction Scope
- concernRuntime instructions and code perform network operations across multiple external services: ClawHub API, GitHub (API/raw), Anthropics (Claude via ANTHROPIC_API_KEY), and community sources (X/Twitter, Reddit). project_tracker.py calls the 'gh' CLI without declaring it or passing an explicit token, which means it will use any gh-authenticated user credentials on the host. The skill writes a local SQLite DB and output files under user/home or container paths. These actions are within the broad purpose but the implicit use of host GitHub auth (and the potential for additional captures via x_capture/reddit_capture) expands the attack surface beyond what the minimal declared requirements suggest.
- Install Mechanism
- concernThe registry lists no install spec (instruction-only), but SKILL.md instructs pip install -r requirements.txt and the repository contains requirements.txt and multiple Python modules that import third-party libraries (httpx, python-dotenv, anthropic client likely). There is no automated vetting or pinned-install mechanism declared; this manual-install pattern increases risk if users install packages without review. No downloads from untrusted URLs were seen in provided files.
- Credentials
- concernThe declared required env var (ANTHROPIC_API_KEY) is proportionate for LLM-based script generation. Optional env vars (GITHUB_TOKEN, XAI_API_KEY, CLAWHUB_BASE_URL) are reasonable. However, project_tracker uses the 'gh' CLI which will use any gh auth the host user has configured (without needing GITHUB_TOKEN env), effectively giving the skill access to host GitHub credentials not declared in requires.env. That implicit credential usage is disproportionate to a simple trending/reporting skill and should be made explicit or disabled by default.
- Persistence & Privilege
- okThe skill does create and write a local SQLite DB and output files under per-user data directories (or a container workspace). It does not request 'always: true', does not modify other skills' configs, and does not request elevated OS privileges. File writes are expected given the purpose.