Skillv1.0.0

ClawScan security

Scan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 6:49 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description claims broad, highly sensitive multi-modal scanning capabilities (genomics, network forensics, LiDAR, document ingestion) but the runtime instructions and manifest provide no concrete requirements, tooling, or limits — a mismatch that could let an agent reach for sensitive data without clear justification.
Guidance: This skill claims powerful, sensitive scanning across genomics, network traffic, documents, and LiDAR but provides no concrete tooling, permissions, or provenance. Before installing: 1) Ask the publisher for a detailed spec — required binaries/drivers, exact data sources, and why each permission is needed. 2) Require explicit least-privileged declarations (which files/paths, which sensors, which APIs) and an install provenance (code, homepage, repo). 3) Do not enable autonomous invocation on agents that have access to protected data (health/genomic records, internal network captures, cameras/LiDAR) until audited. 4) Prefer skills that declare required env vars and install steps; if none are provided, assume the skill will attempt to use any data the agent can reach and treat it as high-risk. Providing the skill owner, homepage, or source code would materially change this assessment.

Review Dimensions

Purpose & Capability: concernThe name/description promise deep genomic, biometric, packet-level, vulnerability, document, and spatial analysis, but the skill declares no binaries, no environment variables, no config paths, and no install steps. Performing those tasks would normally require specialized binaries, drivers, credentials, or explicit data sources; the absence of any of those is disproportionate and incoherent with the stated capabilities.
Instruction Scope: concernSKILL.md is high-level and open-ended (e.g., 'ingesting raw reality', 'every byte ingested is immediately cross-referenced'). It references highly sensitive data types (VCF genomic files, packet-level analysis, LiDAR, etc.) but gives no boundaries or concrete commands. This vagueness grants broad discretionary scope to the agent and could encourage reading or transmitting sensitive files or telemetry without explicit limits.
Install Mechanism: noteNo install spec and no code files lowers immediate risk of arbitrary downloaded code, but is itself suspicious: the claimed capabilities would normally require libraries, drivers, or native tools. The lack of an install mechanism means the skill depends entirely on whatever the agent already has access to — a portability/integrity concern rather than direct install risk.
Credentials: concernThe skill requests no credentials or environment variables yet asserts it will process sensitive artifacts (genomes, telemetry, network packets). This mismatch is disproportionate: either the skill will need access to sensitive files/sensors held by the host, or it cannot function as claimed. The manifest should explicitly declare needed permissions and data sources — its absence is troubling.
Persistence & Privilege: notealways is false (appropriate) and it doesn't request persistent modification of other skills or system settings. However, autonomous invocation is allowed by default; combined with the skill's vague, broad scope and sensitive-data focus, that increases the potential blast radius if the agent has access to protected data.