Skillv1.0.0

ClawScan security

Error Budget Tracker · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:41 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its SLO-tracking purpose, but the runtime docs reference environment variables and binaries (e.g., $PROMETHEUS_URL, curl, python3) while the manifest declares none — an incoherence that could lead to unexpected credential exposure or broken behavior.
Guidance: This skill appears to do what it says (query Prometheus, calculate error budgets, and generate alerts/reports), but the SKILL.md expects a PROMETHEUS_URL and uses curl/python3 while the skill metadata declares no required env vars or binaries. Before installing: 1) ask the author to update metadata to list required env vars (PROMETHEUS_URL, and any auth token names) and required binaries (curl, python3), 2) ensure any Prometheus credentials are read-only and scoped to metrics-only access, 3) confirm where alerts/pages will be sent (so you don't accidentally route sensitive info to external endpoints), and 4) test in a constrained environment (use a read-only Prometheus service account or staging Prometheus) to verify behavior. Because the skill implicitly needs credentials but doesn't declare them, treat it as suspicious until those gaps are resolved.

Review Dimensions

Purpose & Capability: noteThe name and description (track SLOs, calculate budgets, alert, and generate reports) align with the SKILL.md steps which query Prometheus, compute burn rates, and render reports. However, the manifest declares no required environment variables or binaries while the instructions clearly expect a Prometheus endpoint and use curl/python3 — this mismatch is unexpected and should be justified.
Instruction Scope: noteInstructions are concrete and limited to SLO definition, querying Prometheus, computing metrics, and producing reports/policies. They do not instruct broad system enumeration or exfiltration. But they explicitly reference $PROMETHEUS_URL (and implicitly may require auth tokens) and shell commands; the SKILL.md does not document authentication, where alerts are published, or how secrets are supplied. That ambiguity grants the agent discretion that should be constrained.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files. That is the lowest-risk install model and is coherent with the described functionality.
Credentials: concernThe skill runtime uses $PROMETHEUS_URL and shell tools (curl, python3) but the registry metadata lists no required env vars or primary credential. If Prometheus requires authentication the skill will need tokens/credentials; those are neither declared nor scoped. The skill therefore asks for potentially sensitive access implicitly (metrics access) without declaring it or describing minimal privilege (read-only) or where alerts will be sent.
Persistence & Privilege: okalways:false and no install/daemon behavior; the skill does not request elevated persistence or modify other skills. Autonomous invocation is allowed (platform default) but there are no combined red flags like always:true plus broad credential access.