Back to skill
Skillv1.0.1
ClawScan security
Review Frontend · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 22, 2026, 4:15 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions mostly match a frontend code-review task, but the manifest omits required local tooling and the skill relies on loading/launching other skills/subagents (transitive privileges) — the omissions create an incoherent security picture.
- Guidance
- Before installing, check that your execution environment provides the local tools the skill uses (git, grep, head, and npm if you plan to run post-fix checks). Review the manifests of any beagle-react:* skills this skill will load — those secondary skills may request credentials or install steps not declared here. Because this skill can spawn subagents and load other skills, treat it as a coordinator: verify the transitive behavior of every skill it loads. If you have strict least-privilege requirements, demand that the author declare required binaries and explicitly list transitive environment/permission needs before use.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to perform repo-focused React/TypeScript reviews, which fits its name. However the SKILL.md explicitly runs shell commands (git, grep, head) and suggests running npm scripts; the registry metadata lists no required binaries. This mismatch (declaring no required binaries while the runtime relies on git/grep/npm) is an incoherence that could lead to unexpected failures or hidden capabilities if the environment differs from the author’s assumptions.
- Instruction Scope
- noteInstructions are largely limited to scanning the repo diff, grepping for patterns, and running checks — all appropriate for a code-review skill. Two items to note: (1) the skill instructs loading an external 'review-verification-protocol' gate and many other beagle-react skills before making judgments; loading those skills delegates additional behavior to them and may expand scope unexpectedly, and (2) the skill supports spawning parallel subagents (via a Task tool) which may further load other skills. The SKILL.md does not list the transitive actions or requirements of those external skills, so the effective runtime behavior depends on external manifests.
- Install Mechanism
- okThis is instruction-only with no install spec or external downloads, which is the lowest install risk. Nothing is written to disk by an installer step in the registry metadata.
- Credentials
- concernThe skill declares no required environment variables or credentials, which is appropriate for a local code review. However, because it loads other skills and can spawn subagents, those secondary skills may request environment variables/credentials transitively. Also it fails to declare required local tooling (git, grep, npm) in the manifest, which is a proportionality/accuracy problem rather than direct credential overreach, but still important to surface.
- Persistence & Privilege
- noteThe skill does not request always:true or persistent presence and does not attempt to modify system/other-skill configs. One unusual flag: disable-model-invocation is set to true in the skill header — yet the runtime expects to call platform tools (Skill, Task) to load other skills and spawn agents. This is not necessarily malicious, but it's an uncommon configuration and may indicate misunderstanding of platform semantics or an assumption about available orchestration tools. Combine this with the transitive loading of other skills and you get a wider effective privilege surface.