ClawHub
Back to skill
v1.0.2

MegaSquirt Tuner

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:48 AM.

Analysis

This appears to be a legitimate Megasquirt tuning guide with an optional local MSQ analyzer, but users should apply ECU changes and run the bundled code carefully.

GuidanceInstall this only if you want AI assistance with Megasquirt tuning. Treat all ECU recommendations as advisory, keep backups of every tune, verify AFR/timing/boost limits independently, and run the optional analyzer only on files you intentionally choose.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Cascading Failures
SeverityMediumConfidenceHighStatusNote
README.md
AI: [Tunes high-load VE cells] ... AI: [Advances timing for power]

The skill is intended to guide changes to fuel and ignition calibration, which is purpose-aligned but can affect engine operation if applied incorrectly.

User impactBad ECU settings could cause drivability problems or engine damage, even though the skill frames this as user-guided tuning rather than automatic control.
RecommendationUse the skill as advisory only, keep tune backups, make small changes, verify with proper instruments, and do not rely on the AI alone for safety-critical tuning decisions.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
README.md
Run locally — Use `python3 scripts/analyze_msq.py tune.msq`

The README asks users to execute a bundled Python script for local MSQ analysis. This is disclosed and purpose-aligned, but it is still local code execution.

User impactRunning the helper script gives it access to the MSQ file path you provide and executes code from the skill package on your machine.
RecommendationRun the script only from a trusted copy of the skill, preferably on backup tune files, and avoid running it with elevated privileges.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none

The package includes a runnable helper script, but the registry metadata does not provide an upstream source or homepage for provenance review.

User impactUsers have less external context for who maintains the code and where to verify updates.
RecommendationReview the included script before running it and install only if you trust the registry package and publisher.