Skillv1.2.0

ClawScan security

Siphonclaw Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 1:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and runtime instructions describe local models and many external API integrations (and ask to ingest arbitrary filesystem paths), but the registry metadata declares no required credentials or installs — that mismatch and the unknown provenance are suspicious and worth further review before use.
Guidance: Do not install or run this skill blindly. The files describe downloads of large local models (Ollama pulls), a local vector DB, and use of multiple external APIs, yet the registry declares no required credentials—this mismatch is suspicious. Before using: 1) Verify the source repository (README references https://github.com/curtisgc1/siphonclaw.git) and review the actual code there; 2) If you plan to follow the README, inspect any scripts and requirements.txt for third-party packages and network calls; 3) Prefer running ingestion and model pulls on an isolated machine or VM (they download large models and will process local files); 4) Do not provide API keys (OpenRouter, Telegram, AgentMail, BraveSearch, etc.) until you confirm which endpoints will receive your data and why; 5) Consider restricting which filesystem paths the agent can access (avoid giving blanket access to / or home) and test with non-sensitive documents first. The lack of declared requirements and unknown provenance are the main reasons to proceed cautiously.

Review Dimensions

Purpose & Capability: concernThe README/SKILL.md describe a full document-intelligence pipeline (local Ollama models, ChromaDB/BM25, visual embeddings, and optional cloud intelligence via OpenRouter/Minimax/etc.). That functionality plausibly requires local binaries, model downloads, and API keys. However, the skill metadata declares no required environment variables, no required binaries, and no install steps. This inconsistency (documented runtime needs vs declared requirements) is unexplained and therefore concerning.
Instruction Scope: concernThe SKILL.md lists tools that accept absolute file_path and image_path arguments (ingest/identify), and describes fallback to web search and cloud intelligence. That means the agent using this skill may read arbitrary local files for ingestion and may forward extracted text/images to external APIs. The instructions don’t explicitly limit which files/paths are used, nor do they declare the external endpoints or credentials in the registry. That broad scope (local file access + potential outbound transmission) without declared constraints is a risk.
Install Mechanism: okThere is no install spec in the registry (instruction-only skill), so nothing is automatically downloaded or written by the platform. This minimizes immediate install-time risk. However, the README shows manual install steps (git clone, pip install, ollama pull) that a user would run separately — those commands themselves fetch large models and code from third parties and should be verified before execution.
Credentials: concernThe registry lists no required env vars, but the README and documentation reference many credentials and endpoints (examples: OLLAMA_URL/OLLAMA_VISION_MODEL, OPENROUTER_API_KEY, MINIMAX_API_KEY, KIMI_API_KEY, TELEGRAM_BOT_TOKEN, AGENTMAIL_API_KEY, BRAVE_SEARCH_API_KEY, DAILY_BUDGET_CAP). Requiring multiple unrelated API keys (messaging, search, model routers) would be proportional to the pipeline but the skill did not declare them in metadata. The absence of declared primary credentials while docs require secrets is an incoherence that could lead to accidental data exposure if users supply keys without understanding what will be sent where.
Persistence & Privilege: okThe skill is not marked always:true and does not request system-level config paths in the registry. Autonomous invocation is allowed (platform default) but that alone is not a red flag. There is no evidence this skill modifies other skills or system-wide settings. Still, because it can instruct ingestion of arbitrary files and outbound calls, consider limiting its access and running it in a sandbox until provenance is confirmed.