Back to skill
Skillv1.0.0
ClawScan security
Tls Configuration Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 29, 2026, 11:34 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions are coherent for a TLS auditor, but the package metadata omits the external tools it actually requires (openssl, curl, nmap, python3) and the SKILL.md assumes system utilities and network scanning — this mismatch and the unknown source warrant caution.
- Guidance
- This skill appears to be a legitimate TLS auditor, but metadata is incomplete. Before installing: 1) Verify the skill's origin (unknown homepage/source is a risk). 2) Ensure the agent or host has the required tools (openssl, curl, nmap with NSE, python3) — the SKILL.md will call them but the registry lists none. 3) Only run scans against hosts you own or are authorized to test (nmap/openssl scans can be intrusive and may be considered hostile). 4) If you enable the 'monitor' feature, confirm where alerts will be sent and do not provide sensitive credentials to the skill. 5) Ask the publisher to update metadata to declare required binaries and any expected inputs; that will increase confidence. If you need higher assurance, request source or a homepage and a signed release.
- Findings
[no_regex_findings] expected: The scanner found no code artifacts to analyze because the skill is instruction-only (SKILL.md only). This is expected; absence of findings does not imply safety.
Review Dimensions
- Purpose & Capability
- concernThe skill's name and description match the runtime instructions (checking TLS versions, ciphers, cert chains, HSTS, etc.). However, the registry metadata declares no required binaries or environment variables while the SKILL.md clearly depends on system tools (openssl, curl, nmap, python3). That omission is an incoherence: the declared requirements don't match what the skill will actually run.
- Instruction Scope
- okThe SKILL.md stays within a TLS-auditing scope: it runs network checks against a provided $HOST, inspects certificates and headers, and suggests generating reports or a monitoring job. It does not instruct reading unrelated local files or exfiltrating data to third-party endpoints. Note: the monitor step could lead users to configure alerting destinations (not specified) — be cautious about where alerts are sent.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files, which is lower risk. However, it implicitly requires external binaries (openssl, curl, nmap, python3) to be present on PATH; the absence of an install spec means the user/agent must already have these tools. The metadata should list required binaries.
- Credentials
- okNo environment variables or credentials are requested or used in the SKILL.md beyond the $HOST parameter for target scanning. This is proportionate to the stated purpose.
- Persistence & Privilege
- okThe skill is not always-enabled and has no install behavior or persistent privileges. It does not request system-wide config changes or other skills' credentials.