Skillv1.0.0

ClawScan security

Evolution Drift Detector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 7:09 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (detecting lineage drift) aligns with requiring network tooling and local analysis, but the runtime instructions are high-level and omit important operational details (authentication, exact fetch targets, limits), giving the agent broad discretion to fetch and analyze remote code without declared safeguards.
Guidance: This skill's purpose matches needing network fetches and local analysis, but the SKILL.md is a high-level spec rather than concrete runtime steps. Before installing or enabling it: 1) ask the author how the skill will authenticate to the marketplace (what API tokens/permissions it needs) and require explicit, minimal-scope credentials; 2) confirm which endpoints and repositories it will fetch and add explicit limits (only public marketplace metadata or explicit URLs); 3) run the skill in a sandboxed environment or with network access constrained to read-only marketplace APIs; 4) request a concrete implementation (scripts or code) or a stricter SKILL.md that specifies exact commands and safety checks; and 5) avoid granting broad, persistent credentials until you’ve reviewed an implementation. If you need stronger assurance, ask for a signed audit or run the detector on known public examples first.

Review Dimensions

Purpose & Capability: noteThe name/description (detecting skill-lineage drift) reasonably requires network fetches and local analysis; requiring curl and python3 is proportionate. However, the skill implies access to marketplace metadata and possibly repositories but does not declare any marketplace API or auth requirements—this mismatch should be clarified.
Instruction Scope: concernSKILL.md is a high-level design doc rather than explicit runtime instructions: it asks the agent to 'trace lineage', fetch chains and compute diffs, but it does not limit what endpoints to call, how to authenticate, what data is permissible to fetch, or how to treat private/credential-bearing files. That vagueness gives the agent broad discretion to perform arbitrary network and code retrieval actions.
Install Mechanism: okInstruction-only skill with no install spec or code files reduces on-disk risk. Requiring standard binaries (curl, python3) is reasonable and low-risk; nothing is downloaded or installed by the skill itself.
Credentials: noteThe skill declares no required environment variables or credentials, yet its functionality (marketplace lineage tracing, possibly fetching private forks) commonly requires API tokens or read access. The absence of declared auth variables is a gap: the agent may prompt for credentials or attempt unauthenticated scraping, which could fail or lead to inappropriate access attempts.
Persistence & Privilege: okNo always:true, no install-time persistence requested, and it does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not excessive by itself.