Skillv1.0.0

ClawScan security

Chaos Test Designer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:46 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match a chaos-engineering purpose but the SKILL.md expects cluster access, command-line tools, and an undeclared PROMETHEUS endpoint while the package metadata declares no binaries or environment variables — an incoherent/incomplete specification that could lead to accidental destructive actions if run with elevated access.
Guidance: This skill is coherent with chaos-engineering activities but the package metadata is incomplete and the runtime steps are explicitly destructive. Before installing or enabling it: 1) don't allow autonomous runs against production — require human confirmation for any destructive step; 2) ensure the agent's kubectl context and service account are restricted to a non-production namespace with least privilege; 3) confirm required binaries (kubectl, docker compose, curl, python3) and the PROMETHEUS endpoint are declared and provided intentionally; 4) test all generated experiments in staging only and have clear abort/runbooks; 5) if you cannot verify who operates the agent or the exact cluster targeted, do not enable this skill in environments with sensitive production data.

Review Dimensions

Purpose & Capability: concernThe described purpose (design chaos experiments) legitimately requires access to Kubernetes, Docker, monitoring, and the ability to run shell tools; however the registry metadata declares no required binaries, env vars, or credentials. That mismatch (metadata says 'none' while instructions call for kubectl, docker compose, curl, python3, and cluster credentials) is inconsistent and surprising.
Instruction Scope: concernThe SKILL.md gives explicit, destructive steps (kubectl delete pod, scaling deployments, killing resources in namespace=production, AZ/region failover scenarios) and commands that read local files (find/grep) and call monitoring endpoints. Those actions are within the domain of chaos engineering but are high-risk; the instructions also reference $PROMETHEUS and assume access to cluster context and privileged service accounts (e.g., litmus-admin) without any safety gates in the metadata.
Install Mechanism: okThis is an instruction-only skill with no install spec, which minimizes disk-write/install risk. However, lack of install does not remove risk because the runtime instructions invoke external tools and cluster operations.
Credentials: concernNo environment variables or credentials are declared, but the runtime examples reference $PROMETHEUS and implicitly require Kubernetes cluster credentials (kubectl) and possibly privileged service accounts. The skill should declare these requirements and justify them; as-is, it asks for operations that need sensitive permissions but doesn't tell the user what will be needed.
Persistence & Privilege: notealways is false and autonomous invocation is allowed (the platform default). Autonomous invocation combined with destructive instructions could be dangerous if the agent is allowed to run skills without human confirmation — that risk stems from operational use, not the skill metadata itself.