ClawHub

Official Doc

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The documented official-document helper is local and purpose-aligned, with low-impact notes about metadata completeness, an extra unrelated script, and local logging if that extra script is invoked.

This appears safe for local document-template generation and checks. Before installing, make sure Python 3 is available, use the documented scripts/official.sh commands, and be aware that the separate scripts/script.sh file is unrelated and can leave a small local command-history log if run.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Info
What this means

The skill may not run unless Python is available, despite the registry metadata not declaring that requirement.

Why it was flagged

The skill itself discloses a Python requirement, while the supplied registry requirements list no required binaries. This is a metadata completeness issue, not evidence of hidden or unsafe behavior.

Skill content
## Requirements

- Python 3.6+
- No external dependencies
Recommendation

Treat Python as a local prerequisite; maintainers should declare python3 in the registry requirements.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

An agent or user who discovers and invokes this extra script may get behavior unrelated to document writing.

Why it was flagged

This included script is a developer-workflow helper rather than an official-document writer, and it is not part of the documented SKILL.md usage. The visible behavior is low-impact, but the extra unrelated file is a provenance/package-content note.

Skill content
# official-doc - Developer workflow automation tool
...
Commands:
  init
  check
  build
  test
  deploy
  config
  status
  template
  docs
  clean
Recommendation

Use the documented scripts/official.sh workflow; maintainers should remove scripts/script.sh or clearly document why it is included.

#
ASI10: Rogue Agents
Low
What this means

Small amounts of command input could remain on disk locally after using the unrelated helper script.

Why it was flagged

If invoked, the extra script creates persistent local state and records command names plus the first argument in a local history log. There is no evidence of background execution or external transmission.

Skill content
DATA_DIR="${OFFICIAL_DOC_DIR:-${XDG_DATA_HOME:-$HOME/.local/share}/official-doc}"
mkdir -p "$DATA_DIR"
_log() { echo "$(date '+%m-%d %H:%M') $1: $2" >> "$DATA_DIR/history.log"; }
Recommendation

Avoid passing sensitive text to scripts/script.sh, or delete the local official-doc data directory if the history log is not wanted.