Skillv1.1.10

ClawScan security

Black Fortress · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 18, 2026, 11:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package largely implements a local pre-installation sandbox as claimed, but there are inconsistencies and a few operational/security caveats (registry metadata mismatch, privileged/host-dependency surface, and omitted files) that warrant manual review before use.
Guidance: This package appears to implement the described 5-layer, local sandbox and most files are coherent with that goal, but proceed cautiously: 1) Reconcile the registry metadata mismatch — SKILL.md requires docker, python3 and Pillow even though the registry reported none. 2) Inspect microvm_orchestrator.py and the seccomp-profile.json before running: verify how source directories are mounted (ensure read-only mounts for original source), what capabilities are granted to sandboxes, and whether any host paths are exposed. 3) Be aware kernel-level tracing (eBPF/syscall) may require root or special capabilities; if unavailable the audit degrades to informational only. 4) The obfuscator intentionally strips docstrings/prints and truncates long strings (>50 chars); expect legitimate code that uses string reflection or long embedded strings to break. 5) Confirm you are using version >= v1.1.6 (the README claims an environment-leak bug was fixed in v1.1.6); avoid older releases. 6) Build and run the tool on an isolated machine or disposable VM, not on a production host. If you want to proceed, review the microvm_orchestrator and any container/VM launcher code in full and test with non-sensitive example projects first.

Review Dimensions

Purpose & Capability: noteThe name/description (agent sandboxing, 5-layer protocol) matches the included scripts (obfuscator, orchestrator, entropy gate, behavioral audit, output filter, microVM orchestrator, seccomp profile). However the registry metadata at the top of the report lists "required binaries: none" and "required env vars: none" while SKILL.md explicitly requires docker, python3 and Pillow; this mismatch is noteworthy and should be reconciled.
Instruction Scope: concernRuntime instructions and the scripts instruct building a Docker image and running multiple local Python scripts that: obfuscate source, run the code in containers/micro-VMs, collect syscall traces, perform entropy analysis, and recompress/strip outputs. That scope matches the stated purpose but raises operational concerns: kernel-level tracing (eBPF/syscall extraction) and seccomp enforcement depend on host support and privileges and may be unavailable in ordinary Docker mode (the code already degrades/flags when traces are missing). The orchestrator and microVM code (microvm_orchestrator.py) was truncated/not fully shown here — that file is critical because it controls container/VM creation, mounts, and seccomp/eBPF hooks; you should review it to verify mounts are read-only and that no unexpected host access is performed. Also the obfuscator intentionally strips docstrings/prints and truncates long strings (>50 chars), which will break code that relies on string reflection or long literal content (this is documented but can be disruptive).
Install Mechanism: okNo external downloads or package installs are specified by the skill registry; the Dockerfile is bundled and the runtime base image is a known distroless image from gcr.io. There is no remote URL extraction or third-party install host in the provided files. This is low-to-moderate install risk provided you build the local image from the included Dockerfile and run it in a controlled environment.
Credentials: noteThe skill declares no required credentials and SKILL.md/black_fortress.py implement an explicit safe-env whitelist to avoid leaking host secrets (PATH, DOCKER_BIN, PYTHONPATH, locale vars, HOME, TMPDIR, TERM). That is proportionate and appropriate. Caveat: the README documents a prior version that leaked os.environ to subprocesses; the repo claims that was fixed in v1.1.6. Confirm you are using the fixed version (the published version here is 1.1.10).
Persistence & Privilege: noteThe skill is not marked always:true and is user-invocable only. It requires elevated privileges only for optional Firecracker micro-VM mode (root), while Docker mode is intended to run non-root. Kernel-ground-truth features (eBPF/syscall tracing) may need additional host capabilities; expect reduced functionality if those capabilities are not available. This privilege model is explainable given the purpose, but you should run the orchestrator in an isolated host/VM to reduce blast radius.