Skillv1.0.0

ClawScan security

Angus Bounty Hunter · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 8:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (runs Slither and a local triage flow) but its documentation over-promises automation, a referenced PoC script is missing, and the scan flow runs package installs on untrusted repos (npm/pip) which is a clear operational risk.
Guidance: What to consider before installing/using: - The tool is mostly a wrapper around Slither + local triage scripts, but it does not automate enumerating Immunefi/Code4rena programs — you must supply a repo URL. The SKILL.md mentions a PoC generator (poc-template.sh) that is not included. - The scan script runs npm install and pip install inside target repositories. Those commands can run arbitrary code from the repo or its dependencies (npm lifecycle scripts, pip install hooks). Only run scans in isolated environments (ephemeral VM, container, sandbox) and avoid running on repos you don't trust. - Verify or remove the npm/pip install steps if you want a safer, dependency-free analysis flow (or vendor/inspect requirements first). - The triage step contacts a local Ollama endpoint (127.0.0.1). That is local only (not remote), but ensure your local LLM service is secure and not exposing data inadvertently. - Check and possibly change default WORK_DIR (defaults to /tmp/bounty-scans) and OUTPUT_DIR to locations you control; review outputs before sharing. - If you need true automation against Immunefi/Code4rena, expect to add authenticated API interactions or scraping logic — this bundle does not perform that. If you want higher assurance, request a version that omits automatic package installs, includes the missing PoC script, and documents exact network calls and file writes; otherwise treat this as a useful but operationally risky helper and run it only in isolated sandboxes.

Review Dimensions

Purpose & Capability: concernDescription implies automated scanning of Immunefi/Code4rena targets; the included scripts do not query those services or automate target discovery — they require a user-supplied GitHub repo URL. SKILL.md references a poc-template.sh that is not present in the bundle. This mismatch between advertised automation and delivered tooling is an incoherence.
Instruction Scope: concernscan.sh clones arbitrary repos and runs npm install and pip3 install -r requirements.txt from within the target repo. Installing dependencies from untrusted repositories can execute arbitrary code (npm lifecycle scripts, pip install side effects). triage.sh only talks to a localhost LLM endpoint (127.0.0.1:11434), so there are no obvious remote exfiltration endpoints, but the scripts do run actions that could execute code from the target repository.
Install Mechanism: okNo install spec (instruction-only) and included scripts are plain shell/Python. Nothing is downloaded by the skill itself during install. Note that runtime behavior triggers package installs from scanned repositories (npm/pip), which is an operational risk but not an installer red flag.
Credentials: okThe skill does not request credentials or environment variables (only optional BOUNTY_WORKDIR and BOUNTY_OUTPUT). It uses local services (solc-select, slither, optional Ollama) consistent with its purpose; no unrelated secrets are required.
Persistence & Privilege: okalways is false and the skill does not attempt to persist or modify other skills or system-wide agent settings. It writes scan outputs to a working directory but does not claim elevated or permanent privileges.