Skillv1.3.0

ClawScan security

Behavioral Invariant Monitor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 4:06 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (behavioral invariant monitoring) is plausible, but the instruction-only SKILL.md asks the agent to collect system-level telemetry and produce/upload auditable logs without specifying where or what permissions are required, creating meaningful ambiguities that should be resolved before install.
Guidance: This skill's goal (detecting N-run/delayed activation threats) is reasonable, but the runtime instructions ask the agent to observe other skills' outputs, resource usage, side effects, and to produce hash-chained audit logs without specifying where logs are stored or sent and without detailing required platform access. Before installing: (1) review the full SKILL.md text to find any network endpoints or upload instructions (search for curl invocations or URLs); (2) confirm how the skill will obtain execution traces and whether your platform gives it access to process-level telemetry or other skills' outputs; (3) prefer running it in a restricted or test environment first (no network egress or limited filesystem access) to verify behavior; (4) require that audit logs remain local or go to a vetted endpoint and that transfers use explicit, auditable credentials; (5) if you lack clarity about where data will be sent or which system paths it reads, treat the skill as high-risk and avoid granting broad privileges. If you want, provide the full SKILL.md text and I can point to specific lines that warrant attention.
Findings: [no-findings] expected: The regex scanner found nothing — expected because this skill is instruction-only with no code files to analyze. The absence of findings is not evidence that the instructions are safe.

Review Dimensions

Purpose & Capability: noteName and description match the monitoring functionality described. Required binaries (curl, python3) are plausible for an instruction-only monitor that runs scripts and optionally transmits reports. However, the monitor's scope (observing file I/O, network connections, system calls, resource usage of other skills) implies system-level telemetry/access that is not declared elsewhere (no required config paths or privileges). That gap is worth questioning: a behavioral monitor legitimately needs access to execution traces and resource metrics, but the SKILL.md does not explain how those will be obtained or what platform privileges are needed.
Instruction Scope: concernThe SKILL.md explicitly describes inspecting outputs, resource usage, side effects (file writes, network connections, system calls), execution-count-sensitive behavior, and creating cryptographic (hash-chained) audit logs. These operations imply reading other skills' outputs/logs, monitoring processes, and producing persistent logs; the file does not declare what files/paths will be read or where logs are stored/sent. Because this is an instruction-only skill, the instructions themselves are the runtime surface — they could direct the agent to collect and transmit sensitive state. The instructions as presented are high-level and allow broad discretion (sampling policies, where to store or send audit trails), which increases risk.
Install Mechanism: okNo install spec and no code files — lowest-risk installation footprint. Nothing will be written to disk by an installer. Risk comes from what the instructions will cause the agent to do at runtime rather than from an installation step.
Credentials: noteThe skill declares no required environment variables, credentials, or config paths, which is good. However, the intended functionality (collecting telemetry, generating audit trails, possibly uploading them) normally requires either access to platform monitoring APIs or a destination for logs. The SKILL.md does not declare endpoints, credentials, or storage locations; the absence could be benign (local-only by default) or problematic (instructions might instruct use of curl to send data to arbitrary URLs).
Persistence & Privilege: okFlags show always: false and no persistent install behavior. The skill is user-invocable and allows autonomous invocation (the platform default). There is no explicit request to modify other skills or system-wide configurations in the metadata.