Skillv1.0.0

ClawScan security

data-anonymizer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:02 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match an anonymizer, but they request/assume access to files and databases (and libraries) without declaring required dependencies or credentials and include open-ended filesystem and destructive SQL operations — the mismatch and scope make this risky.
Guidance: This skill's content generally matches an anonymizer, but it has important gaps and risky guidance. Before installing or running it: (1) don't run its commands against production — operate only on backups or isolated copies; (2) ensure required tools are present (python3, rg/ripgrep, Faker library, and DB client) and add them to the skill metadata; (3) require explicit DB credentials to be provided at runtime and follow least-privilege principles (read-only dumps or a dedicated anonymization account); (4) prefer path-scoped scans rather than sweeping the filesystem to avoid exposing unrelated secrets; (5) add safety checks (dry-run, sample verification, confirmation prompts) before any UPDATE/DELETE; and (6) restrict autonomous invocation or require manual approval for any destructive steps. If the publisher can explain why no credentials/dependencies are declared and add explicit safety controls, reassess.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes scanning files, parsing DB schemas, and running SQL updates — which legitimately require Python, ripgrep (rg), DB client access, and possibly Python packages like Faker — but the skill metadata declares no required binaries, dependencies, or credentials. That mismatch (un-declared DB access and runtime deps) is disproportionate to the declared 'none' requirements.
Instruction Scope: concernRuntime instructions tell the agent to run rg across files and to parse SQL dumps/migrations with no path restrictions; this can read arbitrary files (including config, secrets, or unrelated data). The guidance also includes direct, destructive SQL UPDATE statements (UPDATE ... WHERE true) against 'users' without safety gating or explicit 'run on a copy only' checks. The instructions are open-ended and can surface or modify sensitive data beyond narrowly scoped targets.
Install Mechanism: noteThis is instruction-only (no install spec), which minimizes supply-chain risk. However, the instructions assume third-party tools/libraries (rg, python3, faker, and DB client/permissions) but do not tell the user to install them or declare them in metadata — a usability/security oversight rather than a direct supply-chain red flag.
Credentials: concernThe skill implicitly requires database credentials and filesystem access to do its job, yet requires.env and primary credential fields are empty. It also suggests scanning for patterns like 'api_key', 'password', 'token' and includes SQL that would modify production data — requesting broader access than the metadata indicates and lacking any explicit credential handling or least-privilege guidance.
Persistence & Privilege: notealways is false and the skill is user-invocable (normal). However, because the instructions permit broad filesystem scanning and destructive DB operations, autonomous invocation (the platform default) combined with the above mismatches would increase risk; consider restricting autonomous use or requiring explicit confirmation before any destructive action.