Skillv1.0.0

ClawScan security

Environment Promoter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 27, 2026, 11:48 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions generally match an environment-promotion purpose, but they directly read and print repository config and .env files (with a flawed masking approach) which risks exposing secrets and is sloppy about required tools.
Guidance: This skill appears to do what it claims (compare envs, detect drift, plan promotions), but it will search your repository and read .env and config files — potentially printing secret values. Before using it: (1) review and, if needed, fix the masking logic (mask by key name and never print raw secret values), (2) run it only on sanitized copies of repos that do not contain live secrets, (3) ensure required CLI tools (python3, git, ripgrep 'rg') are available or update scripts to degrade gracefully, and (4) avoid granting the agent autonomous access to production checkouts or secrets until you validate its output and behavior. If you want, I can suggest safer edits to the SKILL.md to reduce secret exposure (e.g., change mask logic, stop printing values, or report only key names and differences).

Review Dimensions

Purpose & Capability: okName/description (compare envs, detect drift, plan promotions) aligns with the commands in SKILL.md: it scans .env files, k8s/manifests, docker-compose, Terraform, and git tags — all reasonable for an environment promotion tool.
Instruction Scope: concernThe instructions tell the agent to search the repository and read/print .env files and config manifests. That is within scope, but the provided scripts print actual values and rely on an inline Python mask function that only inspects values (not key names) for sensitive substrings — so secrets in common .env keys are likely to be exposed. The scripts also call utilities (rg, python3, git) without declaring them, and use broad find/grep across the workspace.
Install Mechanism: okNo install spec and no code files are included (instruction-only). This minimizes installation risk because nothing is downloaded or written by the skill itself.
Credentials: concernThe skill requests no credentials but the runtime instructions access repository files and environment variable files that commonly contain secrets (API keys, DB passwords). Not requesting credentials is coherent, but the behavior of reading and printing those files is high-risk and disproportionate unless the user explicitly runs it on sanitized or non-sensitive checkouts.
Persistence & Privilege: okalways:false and no installs or system-wide config changes are requested. The skill does not request persistent presence or modify other skills; autonomous invocation is allowed (platform default) but not combined with other privilege escalations here.