v1.0.0

TIA HW AUDITOR

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:33 AM.

Analysis

This skill has a coherent audit purpose, but it asks the agent to run external audit scripts that are not included or pinned while accessing sensitive engineering backups.

GuidanceReview this skill before installing. It appears intended for a legitimate TIA hardware audit, but you should only use it with a known, trusted audit script, explicit backup paths, read-only access to NAS/vault shares, and clear controls over which agent receives the CSV and JSON results.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Run an external Openness script (e.g. `tia_hw_audit.bat field.zap18 master.zap18`).

The package is described as instruction-only and the manifest contains only SKILL.md and Scripts/README.md, yet the skill directs the agent to execute an external helper. The helper's source, path, version, and integrity are not provided in the reviewed artifacts.

User impactThe agent may execute whatever local script matches the referenced audit command, so the actual behavior could differ from the reviewed skill description.

RecommendationProvide the audit script in the package or require a pinned absolute path, checksum, and explicit user approval before execution.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Mount or access network paths for NAS and engineering vault.

Access to NAS and engineering-vault locations is expected for comparing backups, but it is sensitive delegated access and the registry metadata does not declare required config paths or credentials.

User impactThe agent could read sensitive factory or engineering backup files if granted broad network-share access.

RecommendationUse explicit allowlisted backup paths and read-only credentials, and avoid granting broader NAS or vault access than the audit requires.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

Short JSON summary for the calling agent.

The skill is designed to return audit results to another agent. This is purpose-aligned, but the artifacts do not define which agent may receive the summary or how sensitive hardware/I/O change data is protected.

User impactIndustrial configuration differences may be shared beyond the immediate audit workflow if the receiving agent or channel is not controlled.

RecommendationLimit which agents can invoke and receive results, and redact or restrict CSV/JSON outputs if they contain sensitive operational details.