Skillv1.0.3

ClawScan security

Cross Bot Communication · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 6:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated zero-credential, zero-install model doesn't match its behavior (it claims to scan groups/channels and manage bot tokens), so it requires clarification before installation.
Guidance: This skill asks the agent to scan all groups/channels and build a relations table but declares no required credentials; don't install yet. Before proceeding, ask the author: (1) exactly which platform APIs/connectors will be used and what credentials are required (e.g., TELEGRAM_BOT_TOKEN) and why they aren't declared, (2) where scanned data and the relations table are stored and who can read them, (3) whether any data is sent to external endpoints (the config.example's 'fallback_method' including 'github_discussion' is suspicious), and (4) whether you can limit the skill's scope (test in an isolated account or restrict to a single group). If you can't verify the source or get clear answers, avoid installing or run it only with a throwaway bot/account with minimal permissions.

Review Dimensions

Purpose & Capability: concernThe skill promises automatic scanning of existing groups/channels and building a 'social relationship' table between owners and bots. That functionality reasonably requires access to chat platform data and bot tokens (e.g., Telegram bot_token shown in config.example.json), but the skill declares no required credentials, binaries, or config paths — this mismatch suggests the declared requirements are incomplete or misleading.
Instruction Scope: concernSKILL.md explicitly instructs the agent to 'scan existing groups/channels' and build/maintain a relations table and perform automated binding. Those instructions imply reading chat membership, bot roles, and possibly user identifiers. The instructions do not disclose where scanned data is stored, what connectors/APIs are used, or whether any data is transmitted externally (the fallback_method value 'github_discussion' in config.example.json is notable). This scope (scanning all groups/channels) is broad and privacy-sensitive.
Install Mechanism: noteThere is no install spec and no code files to execute, which reduces immediate disk-write/remote-download risk. However, because the skill is instruction-only, the actual behavior depends entirely on the agent's existing connectors and permissions — the absence of install artifacts lowers one class of risk but doesn't eliminate runtime access concerns.
Credentials: concernThe skill declares no required environment variables, but config.example.json includes sensitive fields (bot_token, default_channel_id) and the README describes scanning and building relation tables. Requiring such secrets without declaring them is disproportionate and opaque. It's unclear which credentials the agent will need or how they should be provided/stored.
Persistence & Privilege: concernalways is false (good), but the skill's runtime behavior (automatic scanning across groups/channels and maintaining relations) implies broad access to agent-connected chat data. There is no description of data retention, storage location, or access controls for the generated relation table, meaning persistent sensitive state could be created without clear governance.