Skillv1.0.0

ClawScan security

Ai Act Risk Check · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 11, 2026, 9:25 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code mostly matches its stated purpose (classifying descriptions against Annex III) but contains documentation/code inconsistencies and undeclared runtime assumptions (notably a dependency on a 'gemini' CLI), and the script prints the input description which could expose sensitive text — these mismatches merit caution before installing.
Guidance: This skill appears to do what it says (classify a short AI-system description against Annex III), but there are a few things to check before installing or invoking it: - The script calls the 'gemini' CLI but the skill metadata/README do not list that dependency. Confirm you have a trusted gemini binary installed and understand what credentials or network access it uses. - SKILL.md claims the model will 'output ONLY the classification line', but script.sh prints the input description and other text around the result. If you will be checking sensitive descriptions, be aware they will be echoed to stdout/logs. - The SKILL.md mentions an 'oracle' via exec (not present in the code) — ask the author whether the documentation is stale or whether other LLM CLIs might be used. Request the exact runtime requirements and intended CLI. - Because the skill invokes an external LLM CLI, review how that CLI is configured (API keys, network endpoints, logging) to ensure no unintended data exfiltration. If you need higher assurance: ask the author to (1) update SKILL.md to accurately reflect the required CLI, (2) declare the gemini dependency or provide an install step, and (3) remove or make optional the echoing of the full input description so outputs are limited to the intended classification line.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (preliminary EU AI Act Annex III high-risk classification) matches the script's actual behavior. However the SKILL.md claims it 'uses pure shell and `oracle` via `exec`', while script.sh actually calls a 'gemini' CLI. The package.json and SKILL.md declare no runtime dependencies, but the script requires a CLI not documented in the manifest. This is an incoherence (likely stale docs or packaging oversight) rather than proof of malicious intent.
Instruction Scope: concernSKILL.md instructs the model to 'Output ONLY the classification line' with no preamble, but script.sh prints additional context to stdout (echoes the AI System description, headings, and a disclaimer). That means the real runtime behavior differs from the stated strict-output contract. Also script.sh will echo the full input description to standard output/logs, which may leak sensitive or confidential descriptions to logs or whatever consumer collects stdout.
Install Mechanism: concernThere is no install spec (instruction-only), which is low-risk generally — but script.sh depends on an external CLI ('gemini') that is not declared in the skill metadata. Because the required binary is not listed, the skill may silently fail or behave differently depending on the environment. No downloaded code or obscure URLs are present.
Credentials: okThe skill does not request environment variables, credentials, or config paths. The script itself does not read secrets or system files. Note: using the gemini CLI may implicitly rely on credentials or local configuration for that tool (outside the skill), but the skill does not explicitly request them.
Persistence & Privilege: okThe skill does not request permanent presence, does not set always:true, and does not modify system or other-skill configurations. Autonomous invocation is allowed (platform default) but not combined with other red flags.