Skillv0.5.0

ClawScan security

Skill Soup · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 13, 2026, 3:04 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (autonomously generating and publishing agent skills) matches its instructions, but the runtime instructions give the agent broad authority to create, mutate, and publish code and to store auth tokens locally — risks that merit caution given the skill's unknown provenance.
Guidance: This skill appears to do exactly what it says: it will run a local generation workflow, create files under .soup, persist an auth token to .soup/auth.json, and publish generated skills via the local API (which claims to create GitHub repos). Because the skill can autonomously generate, mutate, and publish code, take these precautions before using it: - Only run it in an isolated/test environment (not on a machine with sensitive data or broad filesystem/network access). - Inspect any builders in .soup/builders before allowing the agent to execute or follow them — builders can instruct the agent to create arbitrary code or make external requests. - Limit the scope of tokens used by the Skill Soup API / GitHub (give the minimum permissions, or use a throwaway account) and be prepared to revoke them if something looks wrong. - Do not run continuous/unsupervised generation loops until you have validated the builder pool and the API behavior. - Prefer to run the Skill Soup API and skill runner locally under network restrictions (e.g., no outbound access) if you want to avoid accidental publishing/exfiltration. Confidence is medium because the skill is instruction-only (no code to scan) and its provenance is unknown; the instructions are coherent with the declared purpose but grant broad autonomous capabilities that could be abused.

Review Dimensions

Purpose & Capability: okName/description match the behavior in SKILL.md: the agent talks to a Skill Soup API, picks ideas, uses builders, produces skills, and publishes them (the workflow describes creating repos via the API). The claimed capabilities reasonably explain the files it reads/writes (.soup workspace) and the device-flow auth.
Instruction Scope: concernThe SKILL.md gives the agent broad, open-ended instructions: run a generation loop, choose builders from a local pool, rewrite builders' SKILL.md (mutation), validate outputs, and publish results. While these actions align with the stated purpose, they effectively let the agent generate arbitrary code and push it to remote repositories via the API. The instructions also persist authentication tokens to .soup/auth.json and manage local workspace state. This broad autonomy and ability to mutate and publish code is a significant operational risk, especially because builders (which the agent will execute/interpret) can themselves contain arbitrary instructions.
Install Mechanism: okInstruction-only skill with no install spec and no binaries to install. Nothing is written to disk by a packaged installer; runtime writes are limited to the .soup workspace described in SKILL.md. This is lower install risk, but runtime filesystem writes still occur per the instructions.
Credentials: noteThe skill declares no required env vars or external credentials. It does, however, instruct saving a JWT returned by the local API to .soup/auth.json and to use it for subsequent API calls. Storing a token locally is functionally necessary for the workflow, but it creates a persistent credential that other processes or skills could read if they have access to the same filesystem; the skill itself does not request unrelated credentials.
Persistence & Privilege: noteThe skill does not request always:true and is user-invocable (normal). It does create and modify local state (.soup directory and auth.json) and interacts with an external publishing endpoint (the Skill Soup API that may create GitHub repos). The ability to autonomously loop (generate/publish repeatedly) combined with token persistence increases blast radius if the skill or builders are malicious. No explicit step shows modifying other skills' configs beyond the .soup workspace, which is appropriate for its role.