Skillv1.3.2

ClawScan security

Agent Context System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 6:48 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's goal (two markdown files to persist agent context) is reasonable, but the package claims a CLI and has scripts that reference tools/files that are missing or undeclared, and some scripts perform repo/network operations without clearly declared dependencies — these inconsistencies warrant caution before installing or running any scripts.
Guidance: This skill's idea is benign and useful, but there are concrete inconsistencies you should address before running anything: 1) The repo repeatedly references a CLI named `agent-context` but that binary/implementation is not included — do not run scripts that call it until you confirm the CLI exists or is installed from a trusted source. 2) Inspect scripts/publish-template.sh before running: it uses the GitHub CLI and will push a repo from your current directory; it even offers to include detected sensitive files if you confirm. Ensure you are authenticated and comfortable with the push. 3) The init wrapper runs ../agent-context — if you run it and an unexpected binary exists at that path, it could execute arbitrary code; prefer manually creating .agents.local.md and wiring agent config files yourself rather than running the wrapper. 4) The system relies on agent behavior to 'propose' session logs before writing; never approve writes you don't understand — review proposed content before allowing an agent to append to .agents.local.md or to promote items into AGENTS.md. 5) If you want this skill, either obtain the missing `agent-context` CLI from the author's verified source (and verify its contents), or use the provided templates and do the wiring manually. If you cannot validate the origin of the missing CLI, treat the skill as incomplete and avoid running its scripts.

Review Dimensions

Purpose & Capability: concernThe skill claims a small, local-only context system (AGENTS.md + .agents.local.md). That purpose matches most files and instructions. However, multiple items claim or rely on a main CLI binary named `agent-context` (SKILL.md repeatedly references it and package.json lists it in files) but no `agent-context` executable or implementation is present in the repository manifest. The init wrapper script (scripts/init-agent-context.sh) execs ../agent-context; since that file is missing, init will fail or behave unexpectedly if a different file exists at that path. package.json and documentation assert the repo includes a CLI and additional commands (compress/promote/validate), but those commands are not implemented in the provided files. This mismatch between claimed capabilities and actual files is incoherent and suspicious.
Instruction Scope: noteSKILL.md instructs agents to read AGENTS.md and .agents.local.md at session start and to propose session-log entries before writing them to .agents.local.md. It also instructs modifying repo-level configs (creating CLAUDE.md symlink, writing .cursorrules/.windsurfrules/copilot-instructions.md). Those file reads/writes are within a project's scope and proportional to the stated purpose. However, the 'agent must propose before writing' is an instruction-level policy (not enforced by code), so a malicious or buggy agent could still attempt to write data if the user approves or if tooling doesn't enforce the proposal step. The SKILL.md also suggests optional publishing to GitHub via a script that will create and push a repo — that step writes network-facing state and may include sensitive files if the user approves. Overall the runtime instructions stay within the purported scope but rely on correct agent/tooling behavior and on manual approval steps that are not programmatically enforced.
Install Mechanism: concernThere is no install spec (instruction-only) which is low-risk. The included scripts are small and there are no external downloads. However, scripts/publish-template.sh invokes the GitHub CLI (`gh`) and performs network operations (gh repo create, gh api) without declaring 'gh' as a required binary or telling users about this dependency. The init wrapper execs a missing `../agent-context` binary, which is a higher-risk inconsistency — it means the advertised CLI is not shipped and running the wrapper will fail or could execute an unexpected binary if present at that path. No URL-based downloads or archive extraction were found, which is good, but the missing CLI and undeclared gh dependency are notable issues.
Credentials: noteThe skill declares no required environment variables or primary credentials, which matches its stated local-only, no-infrastructure design. That is proportional. One caveat: publish-template.sh and git operations implicitly use whatever Git/gh authentication exists on the user's machine (gh auth), so installing/running the publish script will act with your GitHub identity if you are authenticated. That implicit credential use is common for developer scripts but should be considered by users. Otherwise, there are no demands for unrelated secrets.
Persistence & Privilege: noteThe skill is not always-enabled and has normal invocation settings. Its persistence is limited to files inside a repository (AGENTS.md, .agents.local.md, and possible agent tool config files); it does not request system-wide privileges. The scripts may modify repository files and create a symlink (CLAUDE.md) within the repo. Those are expected for this purpose, but because the code relies on agents to write the scratchpad and on user approval, there's a potential for accidental or user-approved writes that introduce instruction-like content — the README asserts the agent should ignore 'instruction-like' scratchpad content, but that is an honor-system rule, not enforced.