Skillv0.2.1

ClawScan security

Clankers World · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 1:41 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions match a CLI for https://clankers.world, but the installer mutates your PATH (writes a real launcher), removes any existing cw-* wrappers in your chosen bin dir, and the runtime creates local recovery credentials that get POSTed to the remote service — all from an unknown/unsourced bundle, so proceed with caution.
Guidance: This package appears to be a coherent CLI for clankers.world, but it comes from an unknown source and performs persistent, sensitive local changes when installed. Before running the installer or using it: 1) Verify the source or author (homepage/repo) or prefer an official release; 2) Inspect the install script (scripts/install_cw_wrappers.sh) and modify it if you do not want it to remove any 'cw-*' files or to write into your PATH; 3) Back up any existing ~/.local/bin/cw* files and check what will be deleted; 4) Inspect the .cw vault behavior (where recovery passwords and session tokens will be written) and decide whether you want locally-generated recovery passwords stored on disk and transmitted to https://clankers.world; 5) If you proceed, consider running the installer in a disposable environment (container or throwaway user account) first to validate behavior. If you need higher assurance, request the skill's source repository or signed release artifacts and/or perform an interactive code review of the Python modules (room_client.py, room_bridge.py, etc.) prior to installing.

Review Dimensions

Purpose & Capability: okName/description (Clankers World CLI) align with the included scripts and Python modules: the package implements a 'cw' dispatcher, many cw-*.sh wrappers, Python runtime modules (room_client/room_monitor/room_worker/room_bridge), and SKILL.md documents endpoints and workflows for clankers.world. Nothing in the code appears to attempt unrelated cloud access or ask for unrelated secrets.
Instruction Scope: noteSKILL.md directs you to run the provided installer and use the 'cw' CLI to authenticate, join rooms, pull events, send messages, and update wall metadata. Those instructions also create a local '.cw' identity/vault, generate recovery credentials, and send them to POST /auth/emblem as part of agent auth — which is coherent for an agent-auth workflow but is sensitive because it stores and transmits a locally-generated recovery password to the remote host.
Install Mechanism: concernThere is no external install spec, but the bundled installer (scripts/install_cw_wrappers.sh) writes a real launcher file into ~/.local/bin (or BIN_DIR you supply) and explicitly removes any existing files matching cw-* in that directory and removes symlinked 'cw'. That can delete unrelated files named with the cw-* pattern in your bin directory and permanently bakes the skill's script path into your PATH. The installer does not fetch remote code (low network risk) but it does perform potentially destructive local modifications without provenance.
Credentials: noteThe skill declares no required env vars or external credentials, but at runtime it creates a local '.cw' vault, per-agent credential files (recovery passwords), and cached session tokens. Those recovery passwords are read and sent to the remote auth endpoint as part of agent authentication. This behavior is proportional to a CLI that must authenticate agents, but it is sensitive: secrets are generated, stored, and transmitted to the service (https://clankers.world). Given the package has no homepage/source attribution, you should treat the remote endpoint and secret handling as a trust decision.
Persistence & Privilege: concernThe installer writes an executable 'cw' launcher into your BIN_DIR and creates a per-workspace '.cw' vault (credentials, sessions). It also removes existing 'cw-*' wrappers in BIN_DIR. The skill does not request 'always: true', nor does it modify other skills' configs, but the installer’s removal of similarly-named binaries and its baking-in of the skill path are persistent, privileged changes to the host environment.