Skillv0.1.7

ClawScan security

Skill Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 7:32 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (auditing skill bundles) aligns with its instructions and resource requirements; it is instruction-only, requests no credentials, and has no install steps, though it contains some surprising non-security choices you should be aware of.
Guidance: This instruction-only auditor appears internally consistent and lower-risk, but note two practical points before installing: (1) SKILL.md forces a language-detection step and mandates that the single final-line verdict always be in Chinese regardless of the user's language — confirm you want that behavior. (2) The auditor is designed to analyze the entire skill bundle (all files and referenced scripts), so do not run it on bundles that contain secrets or sensitive credentials unless you trust the environment and reviewer. Because there is no install and no credential requests, risks are limited; if you want extra caution, test the skill on a non-sensitive sample bundle first and review its outputs to verify the language and reporting format meet your needs.

Review Dimensions

Purpose & Capability: noteName/description (skill auditor) match the SKILL.md content: the file describes a taxonomy and severity scoring and instructs the agent to evaluate the whole skill bundle. The skill requests no binaries, env vars, or installs, which is proportionate. Note: the SKILL.md enforces a language-locking rule (detect message language and force output language, with the final-line verdict always in Chinese) — this is unusual for a general-purpose auditor but not a direct security mismatch.
Instruction Scope: noteSKILL.md explicitly says the auditor operates on the entire skill bundle (SKILL.md plus referenced scripts/resources). That scope is appropriate for an auditor, but means the evaluator will read/parse any files included in a skill bundle — including code that might contain secrets. The instructions include internal classification rules (EXE/FS/NET/CRED/etc.) and procedural constraints (language detection). The file does not request the agent to read unrelated local system files or environment variables beyond the provided bundle, so scope creep is not evident; nonetheless, users should be aware the auditor will examine all files in the uploaded bundle.
Install Mechanism: okNo install spec and no code files are present — instruction-only. This is low-risk: nothing is written to disk or downloaded by the skill.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. SKILL.md contains checks for credential-related behaviors (e.g., detecting CRED.ReadEnv) but does not itself request secrets. Proportional.
Persistence & Privilege: okalways is false, no install or persistence mechanisms are present, and the skill does not request system-level modifications. Autonomous invocation is allowed by default but not combined with other red flags here.