ClawHub
Back to skill
v1.0.0

TIA COMMISSIONING DELTA

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:32 AM.

Analysis

The skill’s goal is coherent, but it would access sensitive industrial-control backups and run a referenced PowerShell diff script that is not included for review.

GuidanceReview this before installing. Only use it with trusted, reviewed diff scripts and exact read-only backup paths. Because the backups can include safety interlocks, PID tuning, alarms, and sequence logic, treat the output as sensitive operational information and verify any reported critical changes with a qualified engineer.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
Scripts/README.md
- `TIA-Commissioning-Delta.ps1` - Process control focused diff

The README references a central PowerShell helper script, but the supplied manifest contains only SKILL.md and Scripts/README.md, leaving the code the agent would run unreviewed and without provenance.

User impactThe agent may need to run an external or locally discovered script that has not been included in the reviewed package, which is risky when processing industrial-control backups.
RecommendationDo not run the diff helper unless the exact PowerShell script is supplied, reviewed, and obtained from a trusted source; the package should include or pin the script it expects.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
tools:
 - shell
 - filesystem
...
1) Locate both .zap18 archives.
2) Run the commissioning diff script.

The skill explicitly uses shell and filesystem access to find TIA archive files and run a diff script. This is aligned with the purpose, but it needs clear user control and path limits.

User impactIf invoked with broad access, the agent could search or process unintended backup files and execute commands in the local environment.
RecommendationProvide exact baseline and latest backup paths, review the command before execution, and avoid letting the agent search broad local, NAS, or cloud locations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceMediumStatusNote
SKILL.md
Access site backups (e.g. from cloud storage or NAS).

Accessing cloud or NAS backup locations may use existing user, machine, or network permissions to reach sensitive industrial backup data, while no credential or approved path contract is declared.

User impactThe skill may operate with the user’s existing access to sensitive site backups, including safety and process-control logic.
RecommendationUse a read-only account or mounted folder limited to the intended backup files, and avoid granting broad cloud/NAS access.