Skillv1.0.0

ClawScan security

Lean Context · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:12 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions align with a legitimate token-optimization purpose, but detected prompt-injection patterns and guidance that encourages editing system prompts and writing files make it potentially risky without careful controls.
Guidance: This skill appears to be a genuine, thorough guide to reducing token use, but there are important cautions: - Prompt-injection signal: the SKILL.md contains content that could be used to try to override system prompts. Don't let the agent automatically apply edits to global/system prompt files without human review. - File and write access: the skill recommends writing checkpoints and editing CLAUDE.md/AGENTS.md. Only grant the agent file-system write/read permissions that are explicitly required and sandboxed to a project directory; block access to global config directories and agent/system prompt files unless you trust and review the changes. - Autonomous invocation: the skill can be invoked by the agent. If you enable autonomous runs, require confirmations for any action that modifies files or runs external commands. - Test in a sandbox: try the guidance in a throwaway repo or VM first. Audit any diffs the agent proposes before applying them to production repositories. - Least privilege: do not provide secrets, tokens, or broad filesystem access to this skill. If you need to use suggested tools (llmlingua, LangChain), install and run them in controlled environments. If you want to proceed: (1) run interactively/manual mode first, (2) restrict file-system scope and deny edits to system prompt files, (3) review all proposed changes before applying them. Additional helpful info to raise confidence: the skill's author/source, whether your agent platform enforces safe file-scoping, and any intended automatic edit workflows.
Findings: [system-prompt-override] expected: A token-optimization guide will legitimately discuss system prompts and how to shorten them, so the pattern is contextually expected. However, the detector flagged this as a prompt-injection pattern because the document contains guidance that could be used to override or rewrite system prompts. Treat as risky: review any automated edits to system prompts and restrict who/what can perform them.

Review Dimensions

Purpose & Capability: noteName/description match the instructions: the SKILL.md and the deep-dive reference provide coherent, relevant techniques for reducing token usage (selective loading, compression, sub-agents, deduplication). The skill does not request extra credentials or installs, which is proportionate — however, many recommendations assume the agent will read or modify project/system config files (CLAUDE.md, AGENTS.md, system prompts, skill files). That is consistent with the purpose but raises sensitivity because those files can be privileged.
Instruction Scope: concernThe instructions explicitly recommend actions that can touch persistent project/system configuration (edit/slash system prompts, write checkpoint files outside the context window, spawn sub-agents that read many files). Combined with the presence of a 'system-prompt-override' injection signal, this creates risk: the skill could be used to instruct an agent to alter system prompts or other sensitive files. The SKILL.md also encourages writing notes and checkpoint files to disk and using search/grep patterns which implies file-system access that may be broader than needed for simple advice.
Install Mechanism: okInstruction-only skill with no install spec or bundled code — lower risk from third-party installers or arbitrary downloads. The reference names libraries (llmlingua, LangChain) but does not attempt to install them.
Credentials: noteThe skill requests no environment variables or credentials, which is proportionate. However, the guidance expects access to project files and to potentially run small models or pipelines; ensure those capabilities are intentionally granted and scoped. The SKILL.md contains code examples referencing third-party libraries but does not require secrets.
Persistence & Privilege: concernalways:false (good) and the skill is user-invocable. Still, many instructions recommend modifying persistent files (system prompts, CLAUDE.md/AGENTS.md) and writing checkpoints outside the context window — actions that grant persistence. If an agent is allowed to follow these instructions autonomously, it could make persistent changes to configuration or project files. Combine that with the prompt-injection signal for higher caution.