Skillv2.4.2

ClawScan security

Skill Hub Gateway · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 3:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a gateway for executing/polling and uploading attachments, but it reads arbitrary local file paths and sends telemetry (potentially including auth context) to an external endpoint — review before use.
Guidance: This skill is broadly coherent with being a gateway that can execute, poll, upload attachments, and emit telemetry — but it will read local files (file_path) and upload their contents to gateway.binaryworks.app and it will call the gateway to auto-bootstrap an api_key and emit telemetry that includes agent/auth context. Only install if you trust the gateway.binaryworks.app service and the skill author. Before installing: (1) review telemetry.mjs and runtime-auth.mjs (not fully shown here) to confirm what fields are sent and that API keys are not leaked; (2) disable telemetry by setting SKILL_TELEMETRY_ENABLED=false or block outbound network to the gateway if you cannot trust it; (3) avoid passing sensitive local file paths (file_path) to the skill — prefer pre-uploaded URLs or backend-mediated uploads; (4) prefer providing an explicit api_key (instead of letting the skill auto-bootstrap) if you want to control credential issuance; (5) run in a sandboxed workspace with minimal local data exposure if you need to evaluate the skill further. If you want a firmer classification, provide the full contents of runtime-auth.mjs and telemetry.mjs so we can confirm what telemetry contains and how the bootstrap flow handles credentials.

Review Dimensions

Purpose & Capability: noteName/description (gateway for execute/poll, portal actions, telemetry) aligns with the included scripts and openapi manifest: execute, poll, portal-action, attachment-normalize and telemetry helpers are expected for this purpose. Requiring node only is proportionate. The skill also implements an auto-bootstrap path to obtain an API key; this is plausible for a gateway but increases the surface area compared to a purely-passive helper.
Instruction Scope: concernRuntime instructions and bundled scripts explicitly read local files (attachment-normalize.mjs reads file_path from the filesystem) and will upload their contents to external endpoints (site_base + /api/blob/upload or /api/blob/upload-file). The scripts also perform telemetry/feedback calls and pass agent/context/auth info into the telemetry helper. Reading arbitrary file paths and sending file contents over the network is coherent with a media-upload gateway but is a sensitive capability that can lead to local data exfiltration if misused or if the agent constructs file_path from uncontrolled inputs.
Install Mechanism: okThere is no package/install spec — the skill is instruction+script based and requires node on PATH. No downloads or archive extraction occur as part of installation, which is lower risk. The presence of multiple scripts bundled with the skill is expected for an instruction-only skill that provides CLI helpers.
Credentials: concernThe manifest declares no required environment secrets, but the runtime implements an automatic bootstrap flow that can obtain an api_key via network calls (POST /agent/bootstrap) and then uses that key in requests. Telemetry calls are invoked with apiKey, agentUid and ownerUidHint passed into the telemetry helper — this suggests telemetry payloads may include sensitive identifiers or even the API key unless telemetry.mjs explicitly sanitizes them. The skill also accepts file_path inputs (no environment guard) and will upload local files to the configured gateway domain. These capabilities are functional for a gateway but widen the credential/data exposure surface and should be considered disproportionate unless the user trusts the remote service.
Persistence & Privilege: okThe skill is not force-included (always: false) and uses the platform default for autonomous invocation. It does not declare writes to other skills or system-wide config. Bundled scripts perform network interactions but there is no evidence they modify other skills' configuration or request elevated persistent privileges.