Skillv1.0.0

ClawScan security

Gh · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 12:58 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's runtime instructions clearly require the GitHub CLI and authenticated access to GitHub, but the skill metadata does not declare the gh binary or any authentication environment variables — an internal mismatch that should be resolved before trusting the skill.
Guidance: Before installing: 1) Confirm the gh binary will be present on agents (install from GitHub CLI official releases) and ask the skill author to declare that dependency. 2) Decide how to provide authentication: prefer ephemeral gh auth flows or a scoped GH_TOKEN with least privilege; do not paste high-privilege tokens blindly. 3) Test the commands in a non-production repo to confirm behavior and flags (especially destructive commands like merge/delete/force-push). 4) If you want to limit risk, restrict the skill to user-invoked use only or avoid supplying credentials to agents that can invoke skills autonomously. 5) Ask the publisher to update metadata to list required binaries and auth requirements — the current mismatch is the reason for caution.

Review Dimensions

Purpose & Capability: concernThe SKILL.md is explicitly a guide to using the GitHub CLI (gh) and issues many gh commands; however the registry metadata lists no required binaries or credentials. A gh-based skill should at minimum declare the gh binary and acknowledge the need for authentication (e.g., GH_TOKEN or gh auth). The absence of those declarations is an incoherence between purpose and declared requirements.
Instruction Scope: okThe instructions are narrowly scoped to running gh commands (repo, issue, PR, release workflows) and include safety notes. They do not instruct reading arbitrary files, scanning system state, or exfiltrating data beyond typical GitHub operations.
Install Mechanism: noteThis is instruction-only (no install spec), which is low-risk because nothing is automatically written to disk. Still, because the SKILL.md assumes gh is available, the metadata should advertise that dependency so operators know to ensure the binary is installed from a trustworthy source.
Credentials: concernThe skill does not declare any required environment variables or primary credential, yet authenticated gh usage requires credentials (interactive auth or GH_TOKEN). Not specifying this leaves ambiguity about how credentials are provided and may lead users to supply tokens in insecure ways.
Persistence & Privilege: okThe skill does not request permanence (always: false) and is user-invocable. Autonomous invocation is allowed by platform default but is not combined with other high-risk behaviors here; still, granting an agent the ability to run GitHub operations autonomously could have real effects on repos if credentials are available.