Back to skill
Skillv1.0.0
ClawScan security
Aagent System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 4:41 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill largely matches its stated purpose (automated collection and scanning) but includes unexpected external shell executions and aggressive process-spawning behavior that are not justified in the SKILL.md and raise safety and resource concerns.
- Guidance
- This skill's code mostly matches its claimed purpose (collecting and scanning packages), but it also executes shell scripts from the user's home (~) and launches many background processes — behaviors not described in the SKILL.md. Before installing or running it: 1) Inspect the referenced shell scripts (~/aass-scripts/* and ~/aass-dataset/*) or remove those exec calls; 2) Run the skill in a sandboxed environment (VM/container) and limit its network access; 3) Consider limiting process permissions and resource caps (CPU/memory); 4) Confirm the skill's provenance — there is no homepage or owner info beyond an ID; 5) If you cannot audit the external scripts, do not run this on a production or sensitive machine. These steps will reduce the risk that hidden or unrelated local scripts are executed or that the system is overwhelmed by spawned processes.
Review Dimensions
- Purpose & Capability
- concernMost code (collectors, scanners, perf monitor, evolver, designer) aligns with the stated purpose of automated sample collection and scanning. However several agents call external shell scripts located in the user's home directory (e.g., analyzer: '~/aass-scripts/3layer_scheduler.sh', researcher: '~/aass-scripts/daily_intel.sh', scanner: '~/aass-dataset/secure_dataset.sh'), which are not mentioned in SKILL.md or other documentation and are outside the skill's codebase — this is disproportionate to the described functionality and unexplained.
- Instruction Scope
- concernSKILL.md instructs running node agent manager and viewing local data files (samples.json, logs) which is fine. But runtime code extends scope by: executing arbitrary shell scripts in ~ (see analyzer/researcher/scanner), launching background processes with inline shell commands (orchestrator, evolver spawn new agents via exec with '&'), and invoking pgrep to enumerate processes. Those actions read and execute things outside the skill directory and give the skill broad runtime effects beyond simple API scraping and scanning.
- Install Mechanism
- noteNo install spec (instruction-only install) reduces supply-chain download risk. But this skill includes many JavaScript files that will be placed in the workspace and executed if started — there is no external binary download, which is lower risk than remote installers, but the included code will still spawn processes and run shell commands locally.
- Credentials
- noteThe skill declares no required environment variables or credentials (appropriate for public registry scraping). That said, it performs network requests to many external endpoints (npm, cnpm, GitHub) and may start scripts in the user's home that could access credentials present there — the code does not request secrets but could execute local shell scripts that read them, which is a potential indirect risk.
- Persistence & Privilege
- concernalways:false (good). But the orchestrator and evolver intentionally spawn many background Node processes (e.g., startRole uses 'node agents/... > /dev/null 2>&1 &' and evolver executes background nodes in a loop). That grants the skill persistent, multi-process presence and can consume significant system resources or run arbitrary commands (especially combined with execution of home-directory scripts). This persistent process-spawning is more privileged than a simple synchronous skill invocation.