Skillv1.0.1

ClawScan security

Agent Dev Toolkit Cahdieng · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 9:51 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The toolkit's files broadly match a developer-focused agent toolkit, but the instructions encourage broad, persistent permissions (wildcard WebFetch, wide Bash allowlists, automatic 'fix' behavior), modify user shell/config, and the SKILL.md contains a detected prompt-injection pattern — these combined raise meaningful risk and warrant closer review before installing.
Guidance: This toolkit appears to provide legitimate agent-development docs, but exercise caution before installing or applying its recommendations. Specific actions to consider: - Do NOT apply blanket allowlists (WebFetch(domain:*) or wide Bash allow patterns) unless you understand and accept the risk; prefer domain-restricted allowlists and minimal Bash permissions. - Don't blindly run the suggested shell changes (e.g., modifying ~/.bashrc to set NODE_OPTIONS) without understanding consequences and backing up your shell config. - Review the Agent Wallet SKILL.md carefully before using wallet features: verify where private keys or RPC endpoints are stored/used and never paste private keys into tools you don't fully trust. - Treat 'FIX issues found' automation as potentially dangerous: require human review/approval before any agent is allowed to edit files or push commits. - Manually inspect any code or CLI the installer (clawhub) would fetch before running it; only install from trusted sources. - Because a prompt-injection string was detected, read the SKILL.md and included docs end-to-end to ensure no hidden instructions override safety/approval checks. If you want, I can (a) list exact lines where the prompt-injection pattern and the most-permissive allowlist recommendations appear, or (b) highlight places in the wallet/browser docs that would require sensitive credentials or network access so you can decide what to permit.
Findings: [prompt-injection:ignore-previous-instructions] unexpected: A prompt-injection pattern ('ignore-previous-instructions') was found in SKILL.md. It is not expected for a developer toolkit and could indicate content that attempts to override agent-level guards or instructions; review the exact context where it appears before trusting the skill.

Review Dimensions

Purpose & Capability: noteThe package name and description (agent builder, browser, wallet, docs, development) match the included SKILL.md and reference docs. Required binaries (node, npm) are reasonable for an agent dev toolkit. However some recommended configuration (global allowlists for Bash/WebFetch and giving all agents broad tools) is more permissive than strictly necessary for many of the described features and feels disproportionate to a conservative security posture.
Instruction Scope: concernSKILL.md and the bundled docs explicitly instruct environment/config changes (e.g., add NODE_OPTIONS to ~/.bashrc), advocate giving agents the ability to 'FIX issues found' (automatic edits), and contain guidance to allowlist WebFetch(domain:*) and many Bash patterns. Those instructions expand agent authority to network/cmd execution and filesystem writes beyond simple guidance or templates. A prompt-injection indicator ('ignore-previous-instructions') was also detected in SKILL.md content, which is a red flag for possible instruction-manipulation vectors.
Install Mechanism: okThis is instruction-only (no install spec, no code files to execute), which reduces supply-chain risk. The README suggests using 'npm install -g clawhub' and 'clawhub install agent-dev-toolkit' but the package itself does not download arbitrary binaries or include extract steps.
Credentials: noteNo environment variables, credentials, or config paths are required by the skill metadata — that's good. However the docs recommend global shell changes (~/.bashrc) and allowlisting network access (WebFetch(domain:*)) and many Bash commands, which effectively grants agents broad access to environment and outbound exfiltration vectors even though no secrets are requested up front.
Persistence & Privilege: concernalways:false (good) and the skill is user-invocable. But the included guidance explicitly encourages removing interactive prompts (allowlists) and giving agents file-write and network permissions and even instructs agents to 'FIX issues found' automatically. Combined with normal autonomous invocation this increases the blast radius (agents could make persistent changes and contact arbitrary domains if those allowlists are applied).