Skillv1.0.0

ClawScan security

Local Task Runner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 23, 2026, 2:47 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what it says (executes local Node.js snippets) but allows arbitrary code execution on the host, omits declaring that the Node runtime is required, and includes minor package/manifest mismatches — proceed only if you trust the agent and restrict invocation/scope.
Guidance: This skill executes arbitrary Node.js code on your machine — that's exactly its purpose, but it means any code run can read files, network, and environment data. Before installing: ensure you have the Node runtime on the host, only allow trusted callers to invoke the skill (or disable autonomous invocation), and consider running it inside a dedicated low-privilege container or VM. Also ask the author to (1) declare 'node' as a required binary, (2) remove unused dependencies from package.json (uuid), and (3) document recommended sandboxing/permission guidance. If you cannot restrict who or what can call this skill, avoid installing it.

Review Dimensions

Purpose & Capability: noteThe skill's name, description, SKILL.md, and index.js are coherent: this is a local runner that writes a JS file and executes it with Node. However, the metadata lists no required binaries even though index.js invokes the 'node' binary via child_process.exec, so the declared requirements are incomplete. package.json lists a dependency on 'uuid' that the code does not use (index.js uses crypto), which is an unnecessary/untidy manifest mismatch.
Instruction Scope: concernSKILL.md and index.js instruct the agent to accept arbitrary JavaScript code, write it to disk, and execute it. That behavior is consistent with the stated purpose but inherently powerful: any executed snippet can read files, access environment variables, make network requests, or spawn processes. The skill itself does not sandbox beyond a timeout and maxBuffer, so the runtime instructions grant broad capability to code provided to the skill.
Install Mechanism: noteThere is no install spec (instruction-only), which limits risk from installers. The package.json is present but there is no install step — the declared dependency ('uuid') is not used by index.js; this is likely an oversight rather than malicious but should be cleaned up to avoid confusion.
Credentials: noteThe skill requests no environment variables or credentials and the provided code does not read env vars. However, because the skill executes arbitrary Node code, any code run could itself read environment variables, credentials available to the agent, or other local data — so the absence of declared env requirements does not prevent runtime snippets from accessing secrets present in the environment.
Persistence & Privilege: concernThe skill does not request always:true and does not modify other skills, and it limits files to its own .tasks directory, which is reasonable. However, model invocation is enabled (agent can call the skill autonomously) and combined with the ability to run arbitrary host code this increases blast radius: an agent that autonomously invokes this skill could run unexpected tasks on the host. Consider restricting autonomous invocation or running the skill within a stricter sandbox/privilege boundary.