Skillv1.2.4

ClawScan security

Mind Security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 18, 2026, 4:12 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what it says (four scanners) but registry metadata and declared requirements are inconsistent with the code and docs — some declared 'required' secrets/tools are optional or unused, which is disproportionate and worth investigating before install.
Guidance: This package generally implements what it claims, but there are metadata and requirement inconsistencies you should resolve before installing or providing credentials. Things to consider: - Only provide API keys you intend to use. BitMind and GPTZero are needed for their respective modules; VirusTotal/URLScan/Google Safe Browsing are optional and should not be treated as mandatory. - The registry's requirement for curl/wget appears unnecessary — the scripts use Python's urllib. Ask the publisher why curl/wget are marked required and refuse to provide unrelated binaries or run in environments that don't need them. - The prompt-injection module includes real attack patterns in its docs; the pre-scan detection of injection strings is expected. This is not proof of maliciousness. - The optional llm-guard ML layer downloads a ~500MB model to the user's cache on first use — plan for disk and network usage and review that library if you enable it. - The skill sends user content to third-party APIs (BitMind, GPTZero, VirusTotal, URLScan, Google Safe Browsing). If you will analyze sensitive data, isolate network access, use dedicated API keys with limited scope, and confirm the vendors' privacy policies. - Recommended next steps: contact the skill publisher (repo homepage) to correct registry metadata (mark optional keys as optional, remove unnecessary curl/wget requirement), or inspect/modify the scripts locally before use. If you need higher assurance, prefer running the scripts in an isolated environment or review the full code paths for any truncated parts.
Findings: [ignore-previous-instructions] expected: The SKILL.md and prompt-injection references include explicit injection examples like 'ignore all previous instructions' to demonstrate detection. The detection of this pattern by the scanner is expected and not on its own evidence of malicious intent.

Review Dimensions

Purpose & Capability: noteThe name/description (deepfake, prompt-injection, malware URL, AI-text detection) matches the included scripts and reference docs. Each script uses the API keys you'd expect (BitMind for deepfakes, GPTZero for AI-text, VirusTotal/URLScan/Google Safe Browsing for URL scans). However, the registry metadata claims all listed env vars are required, while the README and code indicate several (VirusTotal, URLScan, Google Safe Browsing) are optional. The metadata also demands one of curl/wget even though the Python scripts use urllib and do not call those binaries — that requirement is disproportionate.
Instruction Scope: okSKILL.md instructs the agent to run the included Python scripts and documents which third-party APIs will be contacted. The scripts appear to only send the user-provided artifact (text, URL, or media) to the declared vendor endpoints. There are no instructions asking the agent to read unrelated system files or secrets. Example prompt-injection test strings (e.g., 'ignore all previous instructions') appear in the docs because the module is explicitly a prompt-injection detector; this is expected.
Install Mechanism: okThere is no install spec — instruction-only with code files (scripts) included. Core operation uses stdlib; optional dependency llm-guard is documented for Layer 2 (ML) of prompt-injection, and its model download (~500MB) is noted. No remote arbitrary downloads are performed by the skill itself during install. Overall low install risk, but users should expect optional large model downloads if they enable ML layer.
Credentials: concernRegistry requires BITMIND_API_KEY, GPTZERO_API_KEY, VIRUSTOTAL_API_KEY, URLSCAN_API_KEY, GOOGLE_SAFE_BROWSING_KEY. The code and docs show BitMind and GPTZero are required for their respective features, but VirusTotal/URLScan/Google Safe Browsing are optional (local heuristics run without keys). Declaring all of them as required is disproportionate and could trick users into supplying unnecessary credentials. Primary credential set to BITMIND_API_KEY is plausible but not strictly justified as the 'primary' across all use cases.
Persistence & Privilege: okThe skill does not request always:true and is user-invocable. It does not modify other skills or system configs. No evidence of persistent background behavior beyond running the scripts. Optional llm-guard model caching uses user's ~/.cache/huggingface which is normal for that library.