Skillv1.0.0

ClawScan security

Farmos Workforce · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 9:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions expect local scripts, local role files, and external channel notifications but the skill declares no credentials, environment requirements, or install steps — this mismatch is suspicious and should be clarified before installing.
Guidance: Before installing or enabling this skill, confirm the following: (1) Who maintains the ~/clawd/scripts/farmos-auth.sh script and inspect it — it will be executed to obtain JWTs. (2) Review ~/.clawdbot/farmos-users.json contents — it contains role mappings and may include sensitive info. (3) Clarify how Slack/channel notifications are delivered and what credentials are used; no Slack token or webhook is declared. (4) Verify the API base (http://100.102.77.110:8006) is the intended internal FarmOS host and that network access is appropriate. Ask the publisher to update metadata to declare required credentials, config paths, and any integrations (Slack/webhooks), or refuse installation until those gaps are closed. If you must test, do so in an isolated account/environment and inspect the local auth script before granting access.

Review Dimensions

Purpose & Capability: concernThe described purpose (query employees, timeclock, requests) matches the listed FarmOS endpoints, but the skill does not declare any credentials or config even though the SKILL.md requires a JWT token and references a local auth script and role file. Asking the agent to run ~/clawd/scripts/farmos-auth.sh and to read ~/.clawdbot/farmos-users.json is not reflected in the declared requirements.
Instruction Scope: concernRuntime instructions tell the agent to execute a local script (~/clawd/scripts/farmos-auth.sh), read a local JSON role mapping (~/.clawdbot/farmos-users.json), extract Slack user identity, and notify a Slack channel (#farm-workforce). These file reads, script execution, and external notifications are beyond what the skill's metadata declares and grant the skill broad access to local data and communication channels.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files, so nothing will be written to disk by the registry install process itself. Instruction-only status is lower-risk for installer behavior.
Credentials: concernThe skill requires a JWT token and relies on a local auth helper and role file, but declares no required environment variables or primary credential. It also expects to post to Slack (or another channel) without declaring or requesting corresponding credentials — this is a mismatch and may lead to hidden credential usage or failed behavior.
Persistence & Privilege: noteThe skill is not always-enabled and does not request persistent installation. However, its runtime instructions access files in the user's home and call local scripts; while not a persistence feature, that access is a privilege worth reviewing before enabling autonomous invocation.