Skillv1.0.0

ClawScan security

certificate-lifecycle-manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 12:55 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions fit certificate management, but they ask the agent to access broad, sensitive surfaces (filesystem, all Kubernetes secrets, system certbot state) while the declared requirements list nothing — that mismatch and the high privilege of the actions are concerning.
Guidance: This skill's behavior is coherent with certificate lifecycle management, but it expects (without declaring) broad access to your hosts, Kubernetes cluster secrets, and local filesystem. Before installing or running it: 1) Treat it as high-privilege — run in a controlled environment or staging account first. 2) Verify required tools and declare them (openssl, kubectl, python3, certbot, curl). 3) Limit scope: provide an explicit host list and/or restrict kube namespaces instead of allowing cluster-wide secret reads. 4) Avoid running 'find /' as root; restrict paths to known certificate locations to avoid exposing private keys. 5) Check that kubectl context and kubeconfig are the intended ones and that role-based access prevents reading unrelated secrets. 6) Audit certbot and renewal-hook commands before running to avoid unexpected execution. 7) If you expect autonomous invocation, restrict the skill's permissions or disable autonomous model invocation until you trust it. If you cannot verify these points, treat the skill as risky and do not grant it cluster or root-level access.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly needs tools and access consistent with cert lifecycle tasks (openssl, kubectl, python3, certbot, curl, ability to read filesystem and kube secrets), but the registry metadata declares no required binaries, env vars, or config paths. That mismatch (no declared prerequisites while instructions rely on many binaries and credentials) is incoherent and should be justified.
Instruction Scope: concernInstructions perform broad discovery: network scans of hosts/ports, find / across the filesystem, and kubectl get secrets -A with decoding of tls secrets. These actions will enumerate potentially sensitive material (private keys in files, all cluster TLS secrets) — while relevant to 'discover certificates', this level of access is high-risk and should be explicit and scoped (e.g., specific namespaces, paths, or a limited hosts list). The SKILL.md also references environment variables ($HOSTS, $HOST) that are not declared.
Install Mechanism: okThis is instruction-only with no install steps or downloaded code, which reduces risk of arbitrary remote code being written/executed. However, runtime commands will call system binaries and tools that must exist and may require elevated privileges.
Credentials: concernNo environment variables, credentials, or config paths are declared, but the instructions implicitly require: a populated $HOSTS/$HOST, access to kubectl context (kubeconfig with permission to read secrets cluster-wide), and likely root or elevated filesystem access for find / and certbot operations. Requesting cluster-wide secret reads and full filesystem scans is disproportionate unless the user explicitly intends that scope.
Persistence & Privilege: noteThe skill is not marked 'always' and is user-invocable only; model invocation is allowed (normal). Because the instructions require broad, privileged access when executed, allowing autonomous invocation would increase risk — but autonomous invocation alone is not being flagged as unusual here.