Skillv1.0.0

ClawScan security

OpenSpec Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 5:13 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions legitimately describe an automated spec-driven code workflow, but the runtime instructions require powerful CLIs and permission-bypassing flags that are not declared in the registry metadata — the mismatch and use of --dangerously-skip-permissions/subagent repo access are noteworthy risks the user should review before installing.
Guidance: This skill is coherent as an automated spec-driven workflow, but several warning signs deserve attention before installing: - Metadata mismatch: The skill metadata declares no required binaries or credentials while the SKILL.md expects openspec, claude, gh, git, and an authenticated gh CLI — ask the publisher to update registry fields to reflect real requirements. - Permission-bypass flag: The guide explicitly runs Claude with --dangerously-skip-permissions and spawns subagents with full repo paths. That gives the implementer broad read/write access and can bypass platform safety checks — only run in repositories you fully control and audit first. - Credential scope: Limit tokens to least privilege (narrow GitHub repo scopes, avoid org-wide tokens). Prefer ephemeral tokens or require human approval for push/PR creation. - Audit repo for secrets: Before giving any subagent or external CLI access, scan the repo for secrets or sensitive files that could be exposed by an automated reviewer. - Operational controls: If you choose to use this skill, require interactive/human confirmation for commits and PR creation, or run in an isolated CI environment. Consider running claude and openspec in a sandbox/worktree instead of on your primary working copy. If the publisher cannot or will not correct the metadata to list required CLIs and credential needs, treat installation with extra caution or avoid installing into sensitive environments.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (orchestrating OpenSpec + Claude Code workflows) matches the actions described in SKILL.md (drafting artifacts, spawning reviewers, implementing tasks, opening PRs). However, the registry metadata lists no required binaries or credentials while the SKILL.md explicitly requires openspec, claude, gh, and git — a metadata/instruction mismatch that reduces transparency.
Instruction Scope: concernSKILL.md instructs the agent to spawn reviewers/subagents with full repo path access, let Claude Code read/grep any file in the repository, and to run Claude with --dangerously-skip-permissions and PTY-backed exec. Those instructions grant wide read/write access to repository contents and ask the agent to run commands that bypass normal permission controls — appropriate for an automated implementer but high-risk if untrusted or run in a sensitive repo.
Install Mechanism: okThere is no install spec and the skill is instruction-only, so nothing will be downloaded or written by the skill bundle itself. This minimizes supply-chain install risk, but the instructions do depend on external CLIs being present on the host (openspec, claude, gh, npm for installation), which the metadata does not declare.
Credentials: concernThe registry asserts no required env vars or credentials, yet SKILL.md requires an authenticated gh CLI (and implicitly a GitHub token for some flows), the claude CLI (which needs credentials), and npm-installed openspec. The workflow and reference GitHub Action also rely on GH_TOKEN/secrets in practice. The skill asks for access to credentials and repo contents without declaring them, which is disproportionate to what's presented in the registry metadata.
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills' configs. Still, it instructs autonomous invocations (spawn reviewers, run Claude Code) and uses flags that bypass permissions. While autonomous invocation is platform-default, combining that with permission-skipping and subagent repo access increases blast radius — consider limiting autonomy or human confirmation for risky steps.