Back to skill
Skillv0.1.1
ClawScan security
Data Boundary · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 30, 2026, 6:32 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it says — a bundled Python parser that annotates CSV/JSON for instruction-like text before model reasoning — with no network calls or secret access, but there are a few small operational mismatches to note.
- Guidance
- This skill appears coherent and not malicious: it bundles a Python parser that flags 'instruction-like' strings and produces bounded previews for model analysis. Before installing, confirm you have Python 3 available on the runtime (SKILL.md expects `python3` but the metadata doesn't list it). Be aware the parser output includes absolute input paths and sample field values (these will be visible to the model or any downstream consumer of the parser output). The heuristics are conservative and may flag benign text; treat alerts as annotations, not proof of intent. If you handle highly sensitive files, run the provided script locally in a sandbox on representative samples to confirm the emitted JSON and limits behave as you expect.
- Findings
[ignore-previous-instructions] expected: The pre-scan flagged prompt‑injection text because the SKILL.md and parser heuristics explicitly discuss and search for phrases like 'ignore previous instructions'. This is intentional and appropriate for a boundary/parser that detects instruction-like text.
Review Dimensions
- Purpose & Capability
- noteThe name/description match the included parser code: ingest_data.py parses CSV/JSON and emits structured JSON with alerts and previews. One minor mismatch: SKILL.md instructs running `python3 {baseDir}/scripts/ingest_data.py`, but the skill metadata lists no required binary; the runtime therefore implicitly requires a Python 3 interpreter that is not declared.
- Instruction Scope
- okRuntime instructions are narrowly scoped to parsing files and inspecting the parser output. The skill explicitly forbids feeding raw blobs to the model and directs bounded previews. The parser output includes absolute input paths, sample values, and flagged alerts — which is expected for its purpose but means local path and sampled field contents will appear in the emitted JSON returned to the model.
- Install Mechanism
- okNo install spec or remote downloads; the parser is bundled as source in the skill. No archives or external package installs are requested.
- Credentials
- okThe skill requests no environment variables or credentials and the bundled script does not read secrets or external configs. The detection heuristics intentionally include patterns like 'printenv' and 'curl' only for matching; they are not executed.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skills. agents/openai.yaml allows implicit invocation (normal). The skill does read arbitrary file paths provided to it (intended functionality).