Skillv1.0.0

ClawScan security

OpenScan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:21 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is generally coherent with its stated purpose (static binary/script scanning) but contains a real runtime risk — it shells out unsafely to codesign (command-injection risk with crafted file paths) and has a small metadata mismatch; review or patch before using on untrusted inputs.
Guidance: This skill appears to implement what it advertises (static scanning) and has no credential requests, but exercise caution before using it on untrusted inputs or integrating it automatically: 1) The code runs a shell command (codesign) with an interpolated file path via execSync — that can be abused if an attacker controls a filename. Prefer a patched version that uses child_process.execFile / spawn with an args array or properly escapes/sanitizes paths. 2) The scanner reads file contents and computes hashes; do not run it on directories containing secrets unless you trust its environment. 3) There's a small metadata inconsistency (homepage vs package repository); verify origin (author/repo) before trusting. Recommended actions: review/patch the codesign invocation, run the tool in an isolated environment (container/VM) until patched, or only scan files from trusted sources.

Review Dimensions

Purpose & Capability: okName, README, SKILL.md and implementation align: a Node.js-based static scanner for Mach-O/ELF/scripts. Declared platform/node constraints match code. No unrelated environment variables, binaries, or install steps are requested.
Instruction Scope: concernRuntime instructions and code stay within scanning/auditing scope (reading files, parsing binaries, computing hashes, pattern matching). However scanner.js uses child_process.execSync to run codesign via a constructed shell command: execSync(`codesign --verify --deep --strict "${filePath}" 2>&1`, ...). Because execSync is called with a shell string and an unescaped filePath is interpolated inside double quotes, a filename containing a double-quote or other shell metacharacters could terminate the quoted string and inject shell commands. This is a command-injection vulnerability when scanning attacker-controlled paths or untrusted skill folders. The scanner also reads entire directories/files (including contents that may include passwords or secrets), so while it doesn't exfiltrate by itself, scanned data could be sensitive and should be handled with caution.
Install Mechanism: okNo install spec; code is bundled in the skill. No remote downloads or archive extraction. This is low risk from an install-mechanism perspective.
Credentials: okThe skill requires no environment variables, credentials, or config paths. All filesystem access is for scanning; there are no network endpoints, API keys, or unrelated credentials requested.
Persistence & Privilege: okSkill is not always-enabled, does not request elevated platform privileges, and does not modify other skills or system agent configuration. Autonomous invocation is allowed (platform default) but not by itself problematic here.