Skillv1.0.0

ClawScan security

branch-protection-auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 12:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly target GitHub and will modify repo protections, but the package metadata omits required tools/credentials and its description claims GitLab support that the instructions do not provide — these inconsistencies merit caution before installing or running the skill.
Guidance: This skill performs read and (optionally) write operations against GitHub repositories but the metadata omits critical details and claims GitLab support that is not implemented. Before installing or running it: 1) Verify you have the GitHub CLI ('gh') and python3 on the system — the SKILL.md expects them. 2) Understand authentication: 'gh' must be authenticated (or a CI GITHUB_TOKEN provided) and the token must have appropriate scopes; the 'fix' command requires elevated repo/org privileges. 3) Treat 'fix' as potentially destructive — run the 'audit' flow only first, review generated scripts, and test in a non-production org or a single repo. 4) Ask the publisher to correct the metadata: declare required binaries and required credentials, remove or implement GitLab support, and add safe defaults (dry-run, explicit confirmation, least-privilege guidance). 5) If you do not want an agent to make changes autonomously, disable model invocation for this skill or require manual confirmation before running 'fix'.

Review Dimensions

Purpose & Capability: concernThe description claims GitHub/GitLab support, but every runtime command in SKILL.md uses the GitHub CLI and GitHub API only; there are no GitLab commands. The metadata lists no required binaries, yet the instructions depend on 'gh' and 'python3'. This mismatch between claimed purpose and actual capabilities is unexplained.
Instruction Scope: noteInstructions are narrowly scoped to listing repos, querying branch protection, checking CODEOWNERS, and applying protection rules via the GitHub API — they do not attempt to read unrelated system files or environment variables. However the 'fix' flow issues PUT requests that will change repository protections and therefore requires elevated repository/org privileges; the SKILL.md does not include safety controls (dry-run by default, confirmation, or scoping).
Install Mechanism: noteThis is an instruction-only skill (no install spec), which is lower risk. But it implicitly requires external binaries ('gh', 'python3') and authenticated GitHub access which are not declared in the metadata.
Credentials: concernThe skill declares no required environment variables or primary credential, yet the commands will only work with authenticated GitHub access and, for the 'fix' command, a token with repo/admin-level write permissions. The absence of declared credential requirements is disproportionate and could surprise users about what secrets or auth are needed.
Persistence & Privilege: notealways is false (good). The skill could be invoked autonomously (default), and if invoked it can apply destructive changes (branch protection updates). Combining autonomous invocation with the undocumented requirement for high-privilege GitHub credentials increases risk unless users explicitly control invocation and tokens.