Skillv0.2.3

ClawScan security

rauto-usage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 10:43 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions clearly aim to run rauto CLI commands and access local rauto data, but the package metadata omits declaring required binaries and config-path access — an inconsistency worth reviewing before installing.
Guidance: This skill appears to be what it says — a playbook for running the 'rauto' CLI and guiding the agent to execute operations (including multi-device orchestration and backup/restore). Before installing or enabling it, consider the following: 1) The SKILL.md assumes a local 'rauto' binary and access to ~/.rauto (saved connections, records, backups), but the metadata does not declare the rauto binary or config-path access; confirm the runtime environment actually has the rauto CLI and inspect where saved connections/backups live. 2) Saved connections or the --save-password flow can hold plaintext or locally stored credentials — avoid instructing the agent to save passwords, and prefer providing per-operation credentials explicitly when needed. 3) Rely on dry-run (--dry-run) and the skill's required confirmation for destructive actions; do not give blanket permission to run replace/restore or broad orchestrations without human review. 4) If you are not comfortable with an agent that can execute local CLI commands against your devices, do not enable autonomous invocation; require manual confirmation for any change actions and review any proposed tx/workflow/orchestrate plans before allowing execution. 5) If you need higher assurance, ask the skill author for a source/homepage and for the metadata to explicitly declare the required 'rauto' binary and any config paths it will read.
Findings: [NO_CODE_FILES_TO_SCAN] expected: The regex-based scanner had nothing to analyze because this is an instruction-only skill (no executable code). That matches the package contents, but it means static findings provide no signal about runtime behavior.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose is to execute rauto operations and the SKILL.md and reference files are tightly focused on running rauto CLI commands, tx/workflow/orchestrate flows, backups, and saved connections. That purpose aligns with the content. However, the metadata declares no required binaries or config paths even though the instructions assume a local 'rauto' CLI and access to runtime paths (e.g., ~/.rauto). The absence of a required-binary declaration is an inconsistency (could be an oversight) and the source/homepage are unknown.
Instruction Scope: concernThe runtime instructions explicitly direct the agent to execute arbitrary rauto commands (including config-changing commands, orchestrations, and backup/restore) and to read/use saved connections, record files, backups, and templates. The references name exact filesystem locations (~/.rauto/*) and suggest using saved connections and potentially saved passwords. While the skill mandates confirmation for many destructive actions, it also directs 'Do not ask the user to manually run commands if agent can run them' and will execute read-only commands immediately and change commands when explicitly requested. This means the agent may read local files that can contain credentials and then execute commands that affect network devices. The instructions do not limit the agent from reading local saved connection files or backups when present.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — the lowest-risk install footprint. Nothing will be downloaded or written by an installer. The primary runtime risk comes from the agent executing local commands described in the documentation, not from any bundled code.
Credentials: noteThe skill declares no required environment variables or primary credential, which is consistent with being instruction-only. However, the instructions rely on user-supplied credentials or saved connections stored under ~/.rauto (connection files, saved passwords, backups, records). That means the agent may request or read secrets from local saved-connection files or ask the user to enter credentials. The metadata does not call out access to those local config paths, which is a proportionality mismatch: the skill will operate on sensitive data but didn't declare config access explicitly.
Persistence & Privilege: okalways is false and the skill is user-invocable; model invocation is allowed (the platform default). Autonomous invocation combined with the ability to execute CLI commands increases the impact radius if the agent is allowed to act without explicit human confirmation. The skill itself requires confirmation for many destructive actions, which mitigates but does not remove the risk — this is a design choice rather than a secret privilege escalation.