Back to skill
Skillv1.0.0
ClawScan security
Approval Engine · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 27, 2026, 10:44 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The package appears to be a coherent approval/alerting engine, but the declared registry metadata omits required Discord credentials and there are small inconsistencies between what the skill claims to require and what its code/instructions actually access.
- Guidance
- This skill mostly does what it says (approval workflows, exception detection, Discord notifications), but before installing: - Expect to provide a Discord bot token (DISCORD_BOT_TOKEN) and channel IDs (DISCORD_APPROVALS_CHANNEL, DISCORD_ALERTS_CHANNEL, DISCORD_EXCEPTIONS_CHANNEL, DISCORD_RECOVERY_CHANNEL). The registry metadata currently does not list these — treat that as a documentation gap. - Keep the Discord bot token secret and grant the bot minimal permissions required to post messages and handle interactions. - The skill writes persistent files under the skill root (data/approvals.json, logs/approval.log, logs/exceptions.json). Run it in a directory where you control file access and rotation. - Because the skill sends requests to discord.com, confirm your environment allows outbound HTTPS and that you trust posting these messages to those channels. - Review the omitted/truncated source files (not provided here) for any additional network endpoints or unexpected behavior before running in production. - Test in a staging or sandbox environment first (the skill includes test/smoke-test.sh). The main actionable concern is the metadata/manifest inconsistency around required environment variables — that should be fixed or clarified before trusting deployment.
Review Dimensions
- Purpose & Capability
- noteThe code and SKILL.md implement a rule-driven approval engine with exception detection, recovery strategies and Discord integration — which matches the name/description. However the registry metadata claims no required environment variables while the SKILL.md and code clearly expect Discord credentials and optional data-dir/env paths; that mismatch is unexpected and should be corrected.
- Instruction Scope
- okRuntime instructions are focused on creating approvals, running detectors, recovery, and sending Discord notifications. The SKILL.md tells the agent to load modules from the skill root, read config/approval-rules.json and run cron/test scripts. These actions are coherent with the stated purpose and the code's behavior; I saw no instructions to read unrelated system files or exfiltrate data to unknown endpoints beyond Discord.
- Install Mechanism
- okNo install spec is provided (instruction-only), and the included source files are standard JS modules using built-in Node APIs (fs, https). There are no external download URLs or unusual installers. Risk from installation mechanism is low.
- Credentials
- concernSKILL.md and the code expect Discord-related environment variables (DISCORD_BOT_TOKEN and several DISCORD_*_CHANNEL IDs) and optionally APP/ DATA root overrides, but the skill registry declares no required env vars — an inconsistency. The requested envs (Discord token and channel IDs) are reasonable for a Discord-integrated notifier, but they are sensitive credentials and should be explicitly declared in metadata so users know what to provide and protect.
- Persistence & Privilege
- okThe skill writes to local data/ and logs/ directories (approvals.json, approval.log, exceptions.json) and persists approvals to JSON — behavior consistent with an approval engine. It does not request always: true and does not modify other skills' configuration. This level of persistence is expected but you should be aware of the local files it creates.