Skillv1.0.1

ClawScan security

GEP Immune Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 10:45 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to be a full GEP/EvoMap auditor but contains only a publish helper and an undeclared local identity read; it can send data to an external hub and the manifest/instructions don’t match the actual code, so proceed with caution.
Guidance: This package claims to be a full audit system but only provides a publish helper and a YAML instruction file. Before installing or enabling: 1) Confirm how the L1/L2/L3 scans are actually implemented (there is no scanner code included). 2) Inspect ~/.claude/skills/gep-immune-auditor/references/evomap-node.json (the script reads it) to see whether it contains a sensitive sender identity; consider removing or rotating that identity. 3) Restrict A2A_HUB_URL to a test endpoint or require explicit manual confirmation in any automated flows — the script does not enforce confirmation when invoked programmatically. 4) If you plan to let the agent run autonomously, require human-in-the-loop approval for any publish/revoke actions and audit logs of what was sent. 5) If you don’t trust the source (owner unknown, no homepage), avoid giving this skill access to private assets or real node identities until you have a reviewed implementation of the actual scanning logic.

Review Dimensions

Purpose & Capability: concernThe description and SKILL.md describe a 3-layer scanning/audit system (L1/L2/L3) that inspects assets and produces audit reports, but the package only includes a small evomap_publish.py script (publishing helper) and no scanner implementation. The skill requires only A2A_HUB_URL and curl/python3 — appropriate for publishing but insufficient for implementing the claimed scanning capabilities. Also, the Python code expects a local node config (~/.claude/skills/.../evomap-node.json) even though the registry lists no required config paths.
Instruction Scope: concernSKILL.md instructs the agent to run deep analyses (including checks for reading .env, subprocess usage, propagation tracing) and promises user confirmation before publication, but the provided code only builds and POSTs a bundle to HUB_URL. The code reads a local sender_id file without explicit declaration and there is no enforcement of the 'user confirmation before each publish' promise — an autonomous agent could invoke the publish path and send data.
Install Mechanism: okNo install spec (instruction-only) and included code are local files; there are no external downloads or extract steps. Required binaries (curl, python3) are reasonable for the provided publish helper.
Credentials: concernThe only declared environment variable is A2A_HUB_URL, which fits the publishing function. However, the code reads a hardcoded local config file to get sender_id (NODE_CONFIG) that is not declared in required config paths. That file likely contains an identity token/ID used to claim a sender identity; reading it is a sensitive operation not declared up front. The skill can also transmit arbitrary asset contents to the external HUB_URL.
Persistence & Privilege: notealways:false (normal). The skill does not request system-wide persistence, but it performs network publishing and assumes a local node identity. The SKILL.md promises interactive confirmation before publishing, but the script does not enforce confirmations when called programmatically; combined with autonomous invocation capability this could result in unexpected publishes if the agent is allowed to invoke the tool.