Skillv1.0.3

ClawScan security

Ai Cli Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 10:37 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (orchestrating AI CLIs) is plausible, but the instructions and included script do things that are inconsistent or broader than necessary (sourcing your shell rc, reading ambiguous config paths, and relying on weak checks for API validity), so review before use.
Guidance: This skill is broadly coherent with its stated aim, but exercise caution before installing or running it: - Inspect $HOME/.zshrc and any project .env/.ai-config* files referenced by the skill. The included script explicitly sources $HOME/.zshrc, which executes whatever is in that file in the current shell — this can run code or expose environment variables (API keys). - Note inconsistent config paths in SKILL.md vs. the script (several different filenames). Ask the author which files the skill will read and write, and where. - The availability check described (running --version/--help) does not actually validate API credentials; expect false positives for 'available but unauthenticated' tools. - Because the skill passes git diffs and file snapshots between tools, be careful that secrets (API keys, tokens, private data) are not included in those diffs or echoed into prompts sent to external services. Recommended actions: 1) Run the script in a controlled environment (container or VM) first, or with a dry-run, to observe behavior. 2) Manually review and, if desired, remove or sandbox the line that sources $HOME/.zshrc before using the script. 3) Ask the maintainer to fix inconsistent filenames, clarify how credentials are discovered/used, and add explicit safeguards against leaking secrets. Given these inconsistencies and over-broad file access, treat this skill as suspicious until the above issues are resolved.

Review Dimensions

Purpose & Capability: noteThe overall purpose (discover installed AI CLIs, prioritize, and fallback) matches the provided script and SKILL.md. However, there are mismatches in config file names/locations (.ai-cli-orchestrator.yaml, .ai-config.yaml, ~/.ai-cli-config.json) and the described 'verify API key validity' step is implemented only as --version/--help checks, which do not validate credentials.
Instruction Scope: concernRuntime instructions explicitly tell the agent to read project files (.ai-config.yaml, .env), pass git diffs and file snapshots between tools, and the included script sources $HOME/.zshrc. Those actions expand scope into reading local secrets/configuration and executing whatever is in a user's shell rc — behavior that is not strictly necessary to 'detect installed CLI binaries' and can expose sensitive data or execute unintended code.
Install Mechanism: okNo install spec is provided (instruction-only skill) and the only shipped code is a small shell script. This minimizes install-time risk because nothing is downloaded or extracted from remote URLs.
Credentials: concernThe skill declares no required environment variables, yet its instructions and script read/suggest reading .env, .ai-config.yaml, and source $HOME/.zshrc to obtain environment information. Requesting/dereferencing those files without declaring them is disproportionate and could lead to accidental use of credentials found there.
Persistence & Privilege: noteThe skill writes a configuration file to $HOME/.ai-cli-config.json (persistence in the user's home). It does not request always:true or system-wide modification rights, which is appropriate, but the file-write behavior should be noted and confirmed acceptable by the user.