Skillv0.1.1

ClawScan security

Cancorteaw App · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 23, 2026, 9:28 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (manage local Expo apps under /home/patron/apps) matches its instructions, but it relies on and will execute an external script on the host (/home/patron/apps/_bin/appctl) that is not bundled or verified, which creates a notable integrity risk.
Guidance: This skill appears to do what it says (manage Expo apps), but it relies on executing /home/patron/apps/_bin/appctl that is not included in the skill. Before installing or enabling it: 1) Inspect the file /home/patron/apps/_bin/appctl (and ensure it is the intended, auditable script). 2) Verify file ownership/permissions so untrusted users cannot replace it. 3) Confirm the host user account that will run the skill is non-privileged and that /home/patron/apps is writable only by trusted accounts. 4) Be aware that npx/npm will download packages from the network (supply-chain risk); consider restricting network access or running in an isolated environment. 5) If you cannot review or lock down appctl, treat the skill as risky because it can execute arbitrary commands on the host.

Review Dimensions

Purpose & Capability: noteName/description (Expo/React Native app runner) align with the documented actions (create app, add screen, start preview). However the skill.json entrypoint runs /home/patron/apps/_bin/appctl on the host — a script outside the skill bundle — so the runtime behavior depends entirely on that external script's contents rather than the packaged skill.
Instruction Scope: concernSKILL.md describes file writes under /home/patron/apps, running npx/create-expo-app and npx expo start (which will download packages), creating pids/logs, and recommends kill commands. It also claims an allowlist and path constraints, but those are descriptive only: the skill provides no enforcement mechanism. Because the agent will execute the host script, that script could read or modify other files or run arbitrary commands if tampered with.
Install Mechanism: okInstruction-only skill with no install spec and no bundled code — lowest install risk. The runtime still invokes npx/npm which downloads packages from the network when creating or running projects (expected behavior for Expo development).
Credentials: okThe skill declares no required env vars or credentials. SKILL.md notes EXPO_PORT (optional) and sets EXPO_NO_TELEMETRY in preview — these are proportional to the stated functionality and do not request secrets.
Persistence & Privilege: concernalways:false (good), but the skill's entrypoint executes a host-local script (/home/patron/apps/_bin/appctl). Because the script is not bundled or validated, an attacker with write access to that path could make the skill execute arbitrary code. The skill also creates processes, pid files, and log files under /home/patron/apps which could be abused if the runner script is malicious or compromised.