Back to skill
Skillv1.0.0
ClawScan security
mini-swe-agent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 4, 2026, 3:18 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions tell the agent to run an external CLI (mini) with an explicit 'autonomous' flag (--yolo) but the skill declares no binary, no provenance, and provides no safety/credential controls — this mismatch is concerning.
- Guidance
- This skill tells the agent to run an unknown 'mini' CLI with an explicit autonomous flag ( --yolo ) to edit your codebase. Before installing or invoking it: 1) Do not run or install any 'mini' binary unless you can verify its source (official repo/releases, checksums, or vendor). 2) Ask the skill author for the 'mini' binary's provenance and inspect its code or release artifacts. 3) Require the skill to declare required binaries and any credentials it needs, and to limit scope (specific repo/paths/branches). 4) If you must test, run it in an isolated sandbox or disposable VM, on a cloned repo/branch with backups and no push permissions. 5) Prefer a skill that performs edits via transparent commands (git diffs, PRs) and explicit user confirmation rather than an opaque autonomous CLI. These steps will reduce risk of destructive edits or data exfiltration.
Review Dimensions
- Purpose & Capability
- concernThe SKILL.md instructs the agent to run a CLI named 'mini' to perform end-to-end codebase edits, but the registry metadata lists no required binaries, no install steps, and no homepage/source. Asking to run an unproven external tool is not coherent with the 'instruction-only' metadata and provides no justification for how the 'mini' CLI will be obtained or trusted.
- Instruction Scope
- concernRuntime instructions explicitly require always using the '--yolo' flag so the tool runs autonomously and performs full codebase edits. There are no safety checks, sandboxing, explicit file/path limits, or requirements for user confirmation. The instructions encourage running the tool against arbitrary project paths (e.g., /src/auth.py), which could result in destructive edits or exfiltration if the external CLI is malicious.
- Install Mechanism
- noteThere is no install spec and no code files — that lowers installer risk. However, the SKILL.md references an external CLI ('mini') but provides no mechanism or provenance to obtain it. The only install-like content is a local snippet that writes the SKILL.md into ~/.openclaw/skills, which is harmless on its own.
- Credentials
- concernThe skill declares no required environment variables or credentials, yet its intended function (automated full-repo edits, possibly pushing changes) typically requires repository access and credentials. The absence of declared credentials or guidance for secure credential use is a mismatch and increases risk.
- Persistence & Privilege
- noteThe skill is not marked 'always: true' and is user-invocable, which is normal. However, the SKILL.md's instruction to 'Always use the --yolo flag' increases the effective autonomy and blast radius if the external 'mini' CLI can act without further confirmation. Autonomy combined with an unknown external binary is risky, though the skill itself does not request persistent elevated platform privileges.