Skillv0.1.0

ClawScan security

Ai Pair · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 12:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions coherently implement a multi‑agent code/content review workflow, but the package metadata omits required CLI binaries and credential usage and asks the agent to run with bypassPermissions (broad filesystem/CLI access), which is disproportionate and worth caution.
Guidance: This skill appears to do what it says (coordinate creator + two reviewers), but there are important mismatches and privilege implications you should understand before installing: - Metadata omits declared runtime requirements: SKILL.md expects 'codex' and 'gemini' CLIs and that those CLIs be authenticated. The skill will therefore require API keys/credentials you must already have — but those are not listed in the registry entry. Ask the author which env vars or credential types are needed and where they must be configured. - The workflow reads project files and pipes them to external CLIs. Any code, config, or secrets in the project could be transmitted to third‑party LLM providers (OpenAI/Gemini/etc.). Do not run this on repositories containing secrets or sensitive data unless you understand and accept that risk. - The instructions require launching subagents in 'bypassPermissions' mode, granting agents broad filesystem and CLI access. Only enable that mode in a sandboxed environment (throwaway repo, VM, or container) while you validate behavior. - Verify the skill origin: the registry shows no homepage and the source is 'unknown'. Prefer installing only from a known GitHub repo or the author's verified location, and review the SKILL.md locally before enabling. - Mitigations: test in an isolated repo, revoke or scope any API keys used by the CLIs, run with least privilege (do not give access to home or system folders), and confirm that reviewer CLIs' privacy terms are acceptable for your data. If you need to proceed: contact the skill author for the exact credential names, run a local review to confirm no additional hidden steps, and avoid enabling bypassPermissions in global or sensitive contexts.

Review Dimensions

Purpose & Capability: concernSKILL.md clearly describes a dev/content review workflow that needs a Team Lead agent plus Codex and Gemini reviewers invoked via their CLIs. That purpose justifies reading project files and calling external reviewer CLIs. However, the registry metadata claims no required binaries or env vars while the instructions explicitly require 'codex' and 'gemini' CLIs and that those CLIs have authentication configured — a mismatch between declared requirements and actual runtime needs.
Instruction Scope: concernRuntime instructions direct agents to read project files (Read/Glob/Grep), read style-memory.md/CLAUDE.md if present, and pipe file contents into external CLIs (e.g., 'cat /tmp/review-input.txt | codex exec ...'). This is consistent with a reviewer role but grants the agents broad discretion to access repository files and push data to third‑party APIs. The instructions also instruct launching subagents in 'bypassPermissions' mode to permit CLI execution and file access — that increases the blast radius.
Install Mechanism: okThe skill is instruction-only and has no install script or downloaded binaries in the package, so nothing is written or executed at install time. Installation guidance in README suggests cloning a GitHub repo, which is typical and low risk compared to arbitrary downloads.
Credentials: concernAlthough the skill requires authenticated Codex and Gemini CLIs at runtime, the registry metadata lists no required environment variables or primary credential. That omission hides the fact that using this skill will require API credentials for external LLM CLIs and will cause project content to be sent to those providers. The number and type of credentials are not declared or scoped here, which is disproportionate to the metadata.
Persistence & Privilege: concernThe skill does not set always:true, but it explicitly instructs the Team Lead to launch subagents with 'mode: "bypassPermissions"', which is a privileged runtime mode allowing filesystem and external CLI execution. Granting that mode to subagents is powerful and can enable exfiltration of project files to external services; it should only be allowed after careful review and limited testing.