Skillv0.1.1

ClawScan security

Claude Code Delegate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 12:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (delegating to a local Claude Code CLI with full filesystem write permission) is coherent with its stated purpose, but there are inconsistencies in its declared requirements and some risky recommendations (bypassPermissions with only a recommended write-guard) that warrant caution.
Guidance: This skill appears to do what it says (delegate code work to a local Claude Code CLI) but there are red flags you should address before using it: - Clarify metadata: the skill's files expect the 'claude' CLI and an ANTHROPIC_API_KEY, but the provided top-level registry metadata listed none. Ask the author to fix the manifest so required binaries/env are declared correctly. - Run in an isolated project directory first. Do not run the delegate from your home directory or against repos containing secrets or platform config. - Install the Claude Code CLI and confirm authentication manually (claude --version and claude login) before delegating. - Implement the write-guard BEFORE using the delegate. The skill recommends a plugin that blocks writes to OpenClaw/platform config — install such a guard and test it thoroughly. If you can't or won't install the guard, do NOT use --permission-mode bypassPermissions. - Consider adding an explicit install spec or verifying the npm package origin before installing (@anthropic-ai/claude-code). Prefer official releases and check checksums if possible. If you cannot verify these points or the author does not correct the manifest inconsistency, treat the skill as risky and avoid running it on machines with sensitive files or credentials.

Review Dimensions

Purpose & Capability: noteThe skill's name/description match its instructions: it delegates programming tasks to a local Claude Code CLI. However, the top-level registry metadata provided to you (which showed no required binaries/env) contradicts the embedded _meta.json/README/SKILL.md that explicitly require the 'claude' CLI and an ANTHROPIC_API_KEY or logged-in 'claude' session. That mismatch is an incoherence that should be resolved before trusting the skill.
Instruction Scope: concernSKILL.md instructs the agent to run shell commands (cd && claude -p ...) and to use --permission-mode bypassPermissions which grants broad filesystem read/write. The skill does include strong warnings and a recommended write-guard plugin, but the write-guard is only 'strongly recommended' not enforced. The instructions also require the agent to execute background processes and to poll them later — this is operationally complex and easy to mis-use (e.g., launching tasks against sensitive directories). Overall the runtime instructions permit actions that can read/modify any file on disk if the user omits the write-guard or runs in an unsafe directory.
Install Mechanism: noteThis is instruction-only (no install spec) which keeps disk write risk low, but the README and SKILL.md instruct users to install the Claude Code CLI via npm (npm install -g @anthropic-ai/claude-code). The absence of a formal install spec in the skill registry is an inconsistency: the agent's environment may not have the CLI and the skill relies on that external install step.
Credentials: concernRequesting an Anthropic/Claude API key (or a logged-in 'claude' CLI) is proportionate to the claimed purpose. The problem is inconsistent declaration: the skill files and README expect ANTHROPIC_API_KEY and the 'claude' binary, but the top-level metadata provided earlier listed none. Also the guidance to run with --permission-mode bypassPermissions effectively requires broad filesystem access for the delegate — that level of privilege is plausible for a code-writing tool but is high-risk unless protected by an enforced guard. The mismatch in declared vs actual required credentials is the main proportionality issue.
Persistence & Privilege: noteThe skill does not request 'always: true' and is user-invocable, which is appropriate. It recommends adding a write-guard plugin that hooks into platform events (before_tool_call) — creating such a plugin modifies platform behavior, which is reasonable for enforcing safety but does require elevated configuration access. Nothing in the skill tries to persist credentials or reconfigure other skills automatically, but the recommended guard itself needs to be installed by a human operator.