Skillv2.0.0

ClawScan security

Academic Deep Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 7:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose and required artifacts align (it's an instruction-only research skill using platform search/fetch tools), but the runtime instructions require revealing internal reasoning after every tool call and access to user memory without clear safeguards — this is unexpected and raises privacy/safety concerns.
Guidance: This skill appears to be what it claims (a research assistant) but includes two red flags you should consider before installing: (1) it mandates revealing its internal reasoning/'show your work' after every tool call — this can expose chain-of-thought, hidden context, or sensitive material and is generally discouraged; (2) it uses memory_search/memory_get (user memory) and Phase 3 runs with no further stops after approval, which can surface private data. Recommended actions before enabling: ask the publisher to remove or rephrase any instruction that requires revealing internal chain-of-thought (limit outputs to final findings and cited evidence only); require explicit, per-run consent for reading user memory and document what memory types will be read; add configurable limits (max pages fetched, allowed domains, and rate limits); keep the Phase 2 approval checkpoint mandatory and disallow automatic broad Phase 3 runs without a second explicit confirmation; and verify compliance with copyright and data-handling policies for fetched sources. If you cannot get these changes, treat the skill as higher-risk and avoid granting broad autonomous execution or memory access.

Review Dimensions

Purpose & Capability: okName/description match the SKILL.md: it is an instruction-only deep-research assistant that uses platform-native tools (web_search, web_fetch, sessions_spawn, memory_search/memory_get). No unrelated environment variables, binaries, or install steps are requested.
Instruction Scope: concernThe SKILL.md mandates that the agent 'document the thinking process explicitly' and 'After EACH tool call, you MUST show your work.' That effectively instructs the agent to reveal internal chain-of-thought and detailed deliberations, which is a policy/safety/privacy concern. It also instructs use of memory_search/memory_get (user memory) and instructs full, non-stopped execution for Phase 3 after approval — combined, this can lead to broad automatic reading/fetching of external sites and user memory without further checkpoints. The plan is otherwise precise, but this requirement to expose internal reasoning and to show all intermediate links is disproportionate and unexpected for a general research skill.
Install Mechanism: okNo install spec and no code files — lowest-risk distribution. All behavior comes from SKILL.md and uses built-in platform tools rather than downloading or executing external code.
Credentials: noteThe skill requests no environment variables or credentials, which is proportional. However, it explicitly uses memory_search/memory_get to cross-reference prior knowledge and directs checking MEMORY.md — accessing stored user memory can surface sensitive personal data. The SKILL.md does not require explicit user consent for memory reads beyond the initial approval/checkpoint process; this should be clarified and limited.
Persistence & Privilege: notealways:false and no installs mean the skill does not demand persistent system presence. Normal autonomous invocation is allowed. However, Phase 3's 'NO STOPS — EXECUTE FULLY' combined with the mandatory detailed disclosures increases the potential blast radius if the agent is allowed to run autonomously: it could repeatedly fetch many pages and read memory without additional user interaction.