Skillv6.2.0

ClawScan security

Clawhub Publish V621 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 1:14 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is broadly consistent with an AI-agent security scanner, but the SKILL.md contains prompt-injection indicators and the tool optionally feeds untrusted file contents to an LLM — a combination that raises concern and needs review before use.
Guidance: This skill appears to be a legitimate AI-agent security scanner, but exercise caution before installing or running it against sensitive directories. Actions to consider: - Do not provide an LLM API key (LLM_API_KEY) unless you've reviewed the LLMEngine implementation (src/engines/llm_engine.py) and are comfortable with how it constructs prompts and handles outputs. - Inspect the truncated/omitted engine code (especially LLM engine and any code that sends data out) and the full rules file (rules/dist/all_rules.json) for hidden URLs or prompt templates that might instruct an LLM. - Because the scanner reads files (including configs) and can identify secrets, run it in an isolated environment (VM/container) and avoid scanning directories that contain live credentials or private keys. - Verify the package/source (GitHub/Gitee links) match a trusted upstream and prefer cloning/inspecting the repo before running any install scripts or 'npm install -g'. - If you plan to use the LLM review feature, run some controlled tests with benign and known malicious sample files to see how the LLM responds and whether prompt-injection patterns in scanned files can alter behavior. If you want, I can: (a) list the omitted engine files for closer review, (b) search the repository for external network endpoints, or (c) review src/engines/llm_engine.py for exact prompt-building behavior — providing that would raise confidence in a safe/benign classification.
Findings: [ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md. That pattern is not needed for a scanner's README and could be an attempt to manipulate an LLM if the SKILL.md (or scanned files) are later fed to an LLM component. Treat as suspicious and review all user-facing texts/rules passed to any LLM.

Review Dimensions

Purpose & Capability: okThe name, description, and included Python/JS files (scanner.py, classifiers, rule engines, package.json) match an agent security-scanner. There are no unrelated required env vars or binaries declared. File list and README/usage instructions align with the stated purpose.
Instruction Scope: concernSKILL.md instructs running scanner.py / agent-scanner to scan skill directories (expected), but a prompt-injection pattern ('ignore-previous-instructions') was detected in SKILL.md. The scanner optionally invokes an LLM (LLMEngine) to re-check CRITICAL findings and extracts YAML 'payload' fields for separate analysis — meaning untrusted content can be passed to an LLM. That combination (embedded injection-like strings + LLM review of file payloads) creates a plausible attack vector to influence LLM-based decisions or outputs.
Install Mechanism: noteRegistry has no formal install spec; the package includes package.json and recommends pip install -r requirements.txt and npm install -g @caidongyun/security-scanner. Declared Python deps are common (pyahocorasick, tqdm). No high-risk downloads or obfuscated installers were found in the provided files, but the repository links in docs point to external Git repositories — verify upstream sources before installing globally.
Credentials: noteThe skill declares no required env vars, but scanner.py will optionally read an LLM API key from env (LLM_API_KEY) if the LLM layer is enabled. The scanner intentionally reads local files (including config files and potential secret locations) as part of its function; this is proportional to a security scanner but means it will touch potentially sensitive data. Do not run it against directories containing secrets unless you trust the code and isolate it.
Persistence & Privilege: okFlags are default: always:false and user-invocable:true. The skill does not request permanent/always-on presence and does not appear to modify other skills or system-wide agent settings in the provided files.