ClawSentinel
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you ask it to audit a GitHub repository, your agent may fetch public files from GitHub.
The skill may direct the agent to retrieve public GitHub content, but the network access is disclosed, user-directed, and coherent with repository auditing.
Only fetches raw.githubusercontent.com when you explicitly audit a public GitHub repo
Use it only on repositories you intend to review, and do not assume it audits private or non-GitHub sources unless separately configured.
You have less external information to verify who maintains the skill or whether the registry entry matches an upstream project.
For a security scanner, limited source and homepage provenance makes it harder for users to verify authorship or maintenance history, though no code or install script is present.
Source: unknown; Homepage: none
Prefer security tools with clear source links and version history when provenance matters.
The wording may encourage extra trust in the scanner's results or guarantees.
The skill uses strong safety/privacy guarantees and fear-oriented language; this is not malicious by itself, but users should not over-rely on the claims without independent verification.
100% local read-only analysis ... Zero telemetry in base version ... ClawHub is infested right now.
Treat scan output as advisory and combine it with other review practices for important installations.