Skillv0.1.0

ClawScan security

Comment On Task · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 10:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (reading/adding OpenAnt task comments), but it authorizes immediate autonomous posting using the user's OpenAnt CLI/authentication without declaring or controlling credentials or confirmation — a risky combination.
Guidance: This skill appears to do exactly what it says — run the OpenAnt CLI to read/write task comments — but pay attention to two risks before installing: 1) It instructs the agent to post comments immediately without asking you, so the agent can send messages on your behalf. If you want to prevent accidental posts, require user confirmation or remove the 'No confirmation needed' guidance. 2) The CLI will use whatever OpenAnt credentials are present in the environment or local config (npm, .netrc, OS keychain). Confirm which identity will be used and that those credentials are limited/appropriate. If you want to test safely, try with a throwaway/test task or temporarily revoke/post a limited token, and consider using or reviewing the referenced authenticate-openant skill so auth is explicit and auditable.

Review Dimensions

Purpose & Capability: okName/description align with the SKILL.md: it only reads and writes comments using the OpenAnt CLI (npx @openant-ai/cli). There are no unrelated binaries, env vars, or install steps requested.
Instruction Scope: concernThe SKILL.md gives concrete commands (npx @openant-ai/cli tasks comments / tasks comment) and explicitly tells the agent to 'execute immediately' for routine updates and 'No confirmation needed.' While the commands are in-scope, the instruction to post without confirmation gives the agent broad authority to send messages on behalf of the user, which can lead to unexpected or unwanted postings.
Install Mechanism: okInstruction-only skill; no install spec and no code files. Low disk/write risk because nothing is downloaded or installed by the skill itself.
Credentials: noteThe skill declares no required env vars, but the CLI will require OpenAnt authentication stored in the environment, npm config, or local config files. The SKILL.md refers to an authenticate-openant skill for 'Authentication required' errors, but it does not declare or manage credentials itself — the agent will implicitly use whatever local creds exist, which could expose tokens or cause actions under an unexpected identity.
Persistence & Privilege: notealways:false and normal model invocation are set (no elevated platform privilege). However, the runtime instructions explicitly permit autonomous, confirmation-free posting; combined with agent autonomy this increases the chance of unintended actions even though the skill does not request persistent elevated privileges.