Skillv0.1.2

ClawScan security

Seed · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 8:29 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior matches its description (a self-growing C firmware server) but its runtime capabilities (upload/compile arbitrary C, file_read, file_write, and cmd_out) let a compromised or malicious firmware exfiltrate data or execute arbitrary commands on any device you run it on — proceed only with strong caution and review.
Guidance: This skill implements a powerful mechanism: it lets you upload C code to a device, compile it there, and grant that code the ability to read files and run shell commands. Only install or run 'seed' on machines you fully control and isolate (do not run on multi-tenant systems or internet-exposed servers). Before running: review the seed.c source yourself (do not blindly curl | run), prefer cloning the GitHub repo and building locally, restrict network access and run the service inside a sandbox/container with minimal permissions, rotate and protect any tokens produced by seed, and monitor logs and file integrity. If you need to test, use a disposable VM or hardware you can wipe. If you are not comfortable auditing C code or the runtime behavior, do not deploy this skill or the seed software.

Review Dimensions

Purpose & Capability: okName/description (grow firmware via HTTP, compile on-device, watchdog rollback) align with the declared requirements (curl, gcc) and the SKILL.md API. Asking for no credentials and only requiring curl/gcc is coherent for this functionality.
Instruction Scope: concernThe SKILL.md instructs the agent and user to download and run a seed binary and then supports uploading arbitrary C source, compiling it on-device, and providing handler helpers (file_read, file_write, cmd_out). Those helpers allow reading arbitrary files, writing files, and running shell commands on the target device — capabilities that go well beyond simply 'deploying firmware' and can be used to exfiltrate secrets or escalate access. The instructions also show how to fetch the seed source from a raw GitHub URL and run it, which instructs executing remotely fetched code unless the user audits it first.
Install Mechanism: noteThis is instruction-only (no install spec). SKILL.md directs using curl to download seed.c from raw.githubusercontent.com and compiling locally; raw.githubusercontent.com is a known host (lower-than-arbitrary-URL risk) but 'curl-and-run' remains high-risk in practice. Nothing in the skill auto-installs software on the agent's host, but it does instruct users to run code they fetch.
Credentials: concernThe skill itself declares no environment variables and only requires curl/gcc, which is proportional. However, the firmware API exposes file_read and cmd_out that can access arbitrary local files and run commands on the device — meaning sensitive environment data or credentials on a device running seed can be read or invoked by uploaded firmware. Those risks are real even though the skill doesn't ask for credentials explicitly.
Persistence & Privilege: notealways:false (good). The skill can be invoked autonomously (default), which is normal; if the agent is allowed to act without supervision, combined with the skill's ability to instruct deployment of a self-updating firmware, the blast radius increases. The skill does not request permanent system privileges itself, but the firmware it helps install can gain long-lived control of a device.