Skillv1.0.0

ClawScan security

Runbook Automator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:46 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's stated purpose (convert runbooks to automated playbooks and audit runbooks) matches the instructions, but the SKILL.md contains undeclared references to credentials, external notification hooks, and allows generation/execution of potentially destructive commands without explicit safety guardrails — these inconsistencies merit caution.
Guidance: This skill appears to do what it claims but contains several omissions and safety risks. Before installing or using it: - Treat generated playbooks as potentially destructive: always review any generated script line-by-line before running, and prefer DRY_RUN=true for testing. - Expect it to try to send notifications to Slack/PagerDuty if SLACK_WEBHOOK or PAGERDUTY_KEY are present in your environment — remove or isolate those env vars if you don't want test messages sent. - The skill references external services (Confluence, Google Docs) but doesn't declare required credentials; verify how the agent would access those sources and don't provide credentials unless you trust the skill. - Run the tool only in an isolated/test environment when first trying it; do not run on production hosts or with production credentials until you have validated generated scripts and rollback behavior. - Ask the publisher (or request in the registry) that the skill declare required env vars, list the external commands it intends to call (kubectl, curl, bc, etc.), and add explicit safety checks (require explicit user confirmation before any non-dry-run execution, sandboxing, and detection of destructive commands). - If you are uncomfortable with autonomous execution, restrict or disable automatic invocation for this skill in your agent configuration and require manual invocation/approval.

Review Dimensions

Purpose & Capability: noteThe name and description align with the instructions: parsing runbooks, classifying steps, generating scripts, auditing documents, and dry-running playbooks are coherent capabilities for a Runbook Automator. However, the SKILL.md references external systems (Slack, PagerDuty, Confluence, Google Docs) and runtime secrets (SLACK_WEBHOOK, PAGERDUTY_KEY) without declaring them in the skill metadata, which is an omission/incoherence between claimed capabilities and declared requirements.
Instruction Scope: concernThe runtime instructions include generating executable scripts that may run arbitrary system commands (e.g., kubectl, DB failover commands), set trap-based rollbacks, and send notifications to external endpoints. The 'test' and 'convert' flows imply probing hosts and verifying credentials. There are no explicit safety guardrails described (for example, requiring an explicit user confirmation before executing a non-dry-run script, sandboxing, or automated checks for destructive operations). This gives the agent broad discretion to read repository files and potentially execute dangerous commands derived from runbooks.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so it does not write code to disk or pull external binaries. That minimizes install-time risk.
Credentials: concernThe SKILL.md references environment variables and secrets (SLACK_WEBHOOK, PAGERDUTY_KEY, DRY_RUN) and external services (Slack, PagerDuty, Confluence, Google Docs) but the skill metadata lists no required env vars or credentials. This mismatch is problematic: the skill expects to use notification hooks and possibly credentials to reach hosts, yet does not declare them. A user could accidentally have their real webhooks/keys used if present in the environment, and there is no explicit guidance on what is required or how secrets are handled.
Persistence & Privilege: okalways is false and the skill is user-invocable. There is no install-time persistence or configuration of other skills. Autonomous invocation is allowed (the platform default) but not combined with other high-risk factors such as permanent presence or unsolicited configuration changes.