Skillv1.0.0

ClawScan security

database-replication-advisor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 2:03 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated goal (inspecting DB replication) but they require and use sensitive database credentials and perform write probes while the package metadata declares no required environment variables — this mismatch and the write behavior are concerning.
Guidance: Do not install or enable this skill until the maintainer clarifies the missing metadata and you can review security controls. Specifically: (1) Ask the author to declare all required environment variables/credentials in the registry (DB_HOST, DB_USER, DB_PASS, PRIMARY_HOST, REPLICA_HOST, REDIS_HOST, etc.). (2) Confirm whether the skill requires write access (the provided heartbeat writes to the primary) and request an option to run read-only probes only; prefer read-only accounts for analysis. (3) Avoid passing passwords on the command line (mysql -p"$DB_PASS") — require safer auth methods. (4) Only run the skill against a staging/test environment first. (5) If you allow it to run against production, supply least-privilege credentials scoped to monitoring, and consider disabling autonomous invocation for this skill so actions require explicit user approval. If the author updates the manifest to list required credentials and offers a read-only/no-write probe mode, the concern level would drop.

Review Dimensions

Purpose & Capability: concernThe name/description (replication analysis) align with the commands in SKILL.md (pg/mysql/redis checks, lag measurement, topology advice). However, the runtime instructions require direct access to database hosts and credentials (DB_HOST, DB_USER, DB_PASS, PRIMARY_HOST, REPLICA_HOST, REDIS_HOST, etc.) despite the registry metadata declaring no required env vars or credentials. That discrepancy is incoherent and requires clarification.
Instruction Scope: concernInstructions explicitly run database queries and probes, including a Python heartbeat that writes to the primary (CREATE TABLE / INSERT), shell commands that expose passwords on the command line (mysql -p"$DB_PASS"), and system probes (iostat, ping). These are within the stated purpose but broaden impact: they modify DB state, require elevated access, and can leak secrets via process arguments. The SKILL.md also references many environment variables that are not declared in the skill manifest.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — nothing is downloaded or written to disk by the skill package itself, which reduces install-time risk.
Credentials: concernThe instructions need multiple sensitive values (DB credentials, hostnames) but the skill metadata lists zero required env vars or a primary credential. That under-declaration is problematic: it prevents users from reviewing what secrets the skill will need and undermines least-privilege controls. Also, the commands risk exposing secrets (e.g., mysql -p on the command line).
Persistence & Privilege: noteThe skill is not forced always-on and has no install-time persistence, which is good. However, it is user-invocable and model-invocation is enabled (default), so an agent with this skill could autonomously connect to databases and perform the probes described — combine that with the missing credential declarations and write actions and the blast radius increases. This is a risk to consider but not a metadata-level privilege misconfiguration.