Skillv1.0.0

ClawScan security

csp-policy-generator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match a CSP generator but they reference undeclared environment variables and command-line tools (curl, python3, rg, openssl) and make assumptions that should be clarified before use.
Guidance: This skill appears to do what it says (generate and validate CSPs) but has a few practical inconsistencies you should address before using it in production: - Provide HOST explicitly: the SKILL.md uses $HOST but the skill metadata does not declare any required env var. Make sure you run commands with HOST set (or modify the instructions) to avoid accidental scans of the wrong host. - Ensure required tools are available: the scripts call curl, python3, rg (ripgrep), grep, and openssl. Install or verify these tools on the machine that will run the skill. - Run on staging and limit network access: the tool fetches pages and JS from the target. Pointing HOST at internal or sensitive endpoints could leak information. Test against non-production copies first. - Be careful with report endpoints: the migration instructions suggest using /csp-report — ensure that report collection is secured, storage/retention is appropriate, and sensitive payloads in reports are handled safely. - Expect false positives/negatives: the HTML/JS parsing uses simple regexes and inspects a single JS path; review the generated policy manually and run in report-only mode before enforcement. If you plan to install or share this skill, ask the author to (1) declare HOST in requires.env, (2) list required binaries in metadata, and (3) note any network/security assumptions explicitly. These changes would remove the main coherence concerns.

Review Dimensions

Purpose & Capability: concernThe name and description (CSP generation, validation, migration) align with the SKILL.md steps. However the runtime instructions require runtime inputs/tools (see instruction & env concerns) that are not declared in the skill metadata — e.g., it expects a $HOST value and uses several common CLI tools. Those omissions are an incoherence between claimed requirements and what is actually needed to perform the task.
Instruction Scope: noteInstructions stay within CSP-related tasks (fetch pages, extract resource origins, build policies, validate headers, generate nonces/hashes). They do not request unrelated credentials or system configuration. Caveats: parsing relies on brittle regexes and only explicitly checks a single JS file (https://$HOST/main.js), which may miss dynamically loaded scripts or resources on other paths; the SKILL.md also recommends monitoring a /csp-report endpoint but does not advise how to secure or store those reports.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — low install risk. Nothing is downloaded or written by the skill spec itself.
Credentials: concernThe SKILL.md expects an environment variable or shell variable $HOST (used throughout commands) but the skill metadata declares no required env vars. The instructions also assume the presence of command-line tools (curl, python3, rg/ripgrep, grep, openssl) that are not listed as required binaries. While none of these are credentials, the mismatch between declared requirements and actual runtime assumptions is a proportionality/clarity issue that could cause unintended behavior or failures.
Persistence & Privilege: okThe skill does not request persistent privileges, does not set always:true, and contains no install hooks that modify agent configuration. Autonomous invocation is enabled (default), but that is expected; there is no additional persistence or cross-skill modification.