Skillv1.0.0

ClawScan security

Key Rotation Planner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 11:45 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's purpose (planning key rotations) is plausible, but the runtime instructions expect access to secrets managers and CLI tools (aws, vault, rg, python3) while the skill metadata declares no required binaries or credentials — a clear mismatch that needs clarification before installation.
Guidance: Do not install or run this skill until the author clarifies dependencies and privileges. Specifically: (1) Ask the publisher to declare required binaries (aws, vault, rg, python3) and required environment variables (e.g., AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY or an IAM role, VAULT_ADDR/VAULT_TOKEN). (2) Verify the minimum permissions needed — prefer read-only, least-privilege IAM roles and limited Vault policies that only list metadata, not secrets values. (3) Confirm how calendar/ticket reminders are created (which API/endpoints) and require explicit, auditable actions before any external posting. (4) Run the scanning steps in a safe, non-production environment first (or with logging/audit enabled) so secret exposure is controlled. If the publisher updates the metadata to declare the exact binaries and credential scopes, and the runbook limits actions to non-exfiltrating operations (or uses safe read-only discovery), the incoherence would be resolved and the assessment could be upgraded.

Review Dimensions

Purpose & Capability: concernThe stated purpose (inventorying and rotating keys) matches the SKILL.md content, but the skill's metadata declares no required binaries or credentials even though the instructions call aws CLI, HashiCorp Vault, ripgrep (rg), and python3. Legitimate operation of this skill would normally require those tools and access credentials.
Instruction Scope: concernSKILL.md tells the agent to run commands that enumerate repositories for secrets and to call aws secretsmanager and vault list operations. These instructions access sensitive data (secret listings, potential hardcoded keys) and also delegate undefined actions (creating calendar events or tickets) without specifying endpoints. The instructions grant broad discretion to access secrets managers and repository contents which is outside what metadata declares.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces disk-write risk. However, the instructions rely on several external binaries (rg, aws, vault, python3) that are not declared as required. The lack of declared dependencies is an inconsistency to fix — it doesn't introduce a direct install URL risk but is misleading about what the agent will actually execute.
Credentials: concernSKILL.md implicitly requires access to cloud and secrets-manager credentials (AWS credentials or a role, VAULT_ADDR/VAULT_TOKEN or similar) to list secrets and evaluate rotation status, yet the skill metadata lists no required environment variables or primary credential. This is disproportionate and may cause the agent to attempt credentialed operations without the user being informed.
Persistence & Privilege: noteThe skill is not always-enabled and is user-invocable (normal). It does not request persistent installation or system-wide configuration. However, because the instructions can access sensitive secrets if run, you should avoid granting autonomous invocation or broad credentials without review.