v2.0.0

Cobra Claw - Strike First. Strike Hard

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:14 AM.

Analysis

This is a simple themed personality/lookup skill with small local shell scripts and no evidence of credential access, networking, persistence, or destructive behavior.

GuidanceThis skill appears safe to install based on the provided artifacts. Be aware that it includes bash scripts, so inspect any external version before running it and use the included CLI only with expected kata names.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

cobraclaw.sh

if [ -x "$SCRIPT_DIR/katas/${kata}.sh" ]; then
        "$SCRIPT_DIR/katas/${kata}.sh"

The CLI can execute a local kata script selected by an argument. This is disclosed and central to the skill's purpose, and the included kata scripts only echo text.

User impactRunning the CLI may execute local shell scripts from the skill directory.

RecommendationRun only the reviewed included scripts and avoid passing untrusted or unexpected kata names.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

README.md

git clone https://github.com/danieloleary/cobraclaw.git

The README points users to clone an external repository, while the registry source is listed as unknown. This is user-directed setup guidance, not automatic execution.

User impactIf a user clones the external repository, they may receive code that differs from the reviewed artifacts.

RecommendationPrefer the reviewed registry package, or verify the external repository and inspect files before running its scripts.