Skill Scan

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+3 more)

Findings (17)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI05: Unexpected Code Execution

What this means

Accidentally executing fixture files could run harmful commands or leak data, even though normal scanner use should only read them as samples.

Why it was flagged

This is executable malicious-style fixture code. Its location under test-fixtures and the testing documentation indicate it is intended as scanner test data, but it would be dangerous if run directly.

Skill content

const payload = Buffer.from(cmd, 'base64').toString('utf-8');
run(payload);

Recommendation

Use the CLI scanner, not the fixture scripts. Maintainers should keep malicious fixtures clearly isolated and preferably inert or disabled by default.

NoteHigh Confidence

ASI01: Agent Goal Hijack

What this means

Future skill installation requests may be delayed or blocked by this scanner’s result.

Why it was flagged

The skill deliberately changes the agent’s install workflow by requiring this scanner before ClawHub skill installation.

Skill content

BEFORE installing any skill from ClawHub, you MUST scan it with skill-scan first. This is non-negotiable — never skip the scan.

Recommendation

Choose automatic scanning only if you want this skill to gate future installs; otherwise use the documented manual/on-demand mode.

NoteHigh Confidence

ASI10: Rogue Agents

What this means

The scanner can remain part of the agent’s default workflow until the AGENTS.md section is removed.

Why it was flagged

AGENTS.md changes are persistent agent instructions that continue to affect behavior after the initial install.

Skill content

During installation, one of two sections was added to your workspace `AGENTS.md`

Recommendation

Review the AGENTS.md section after installation and remove it if you no longer want automatic or on-demand scanning behavior.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If you enable LLM or related integrations, those provider credentials may be used by the scanner.

Why it was flagged

Optional analysis modes rely on provider credentials from environment variables, even though static scanning requires no keys.

Skill content

`OPENAI_API_KEY` | LLM scanning | OpenAI API key ... `ANTHROPIC_API_KEY` | LLM scanning ... `PROMPTINTEL_API_KEY` | MoltThreats integration

Recommendation

Provide only the keys needed for the modes you actually use, and prefer least-privilege or dedicated keys.

NoteMedium Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Private local skill code or scan findings may leave your environment when LLM or alert features are enabled.

Why it was flagged

Optional LLM analysis implies scanned skill content is processed through external model providers.

Skill content

LLM deep analysis | Semantic threat understanding | `--llm` ... Provider auto-detected from environment: `OPENAI_API_KEY` -> gpt-4o-mini; `ANTHROPIC_API_KEY` -> claude-sonnet-4-5

Recommendation

Use static-only scanning for sensitive private code, or confirm your provider and alert-channel privacy requirements before enabling LLM/alert modes.

NoteHigh Confidence

ASI09: Human-Agent Trust Exploitation

What this means

A LOW scan result should reduce risk but should not be treated as a guarantee that a skill is safe.

Why it was flagged

The project documents known missed threat categories, while the main workflow describes LOW risk as safe to proceed.

Skill content

These three currently score as LOW risk and are counted as false negatives.

Recommendation

Treat scan output as one review input; manually review high-impact skills and known-gap areas such as path traversal, resource exhaustion, and SQL injection.

NoteMedium Confidence

ASI04: Agentic Supply Chain Vulnerabilities

What this means

Users may need to manually verify how the CLI is installed and whether the package version matches the registry entry.

Why it was flagged

The skill is presented as a Python CLI package, while registry metadata says there is no install spec and the source/homepage are unknown.

Skill content

pip install -e .
skill-scan scan /path/to/skill

Recommendation

Install from a trusted source, verify the package/version, and review dependencies before relying on it for security decisions.

Findings (17)

critical

suspicious.dangerous_exec

Location: test-fixtures/evasive-12-multi-stage/plugins/init.js:22
Finding: Shell command execution detected (child_process).

critical

suspicious.dangerous_exec

Location: test-fixtures/malicious-skill/helper.js:20
Finding: Shell command execution detected (child_process).

critical

suspicious.dynamic_code_execution

Location: test-fixtures/command-injection-eval/calculate.py:18
Finding: Dynamic code execution detected.

critical

suspicious.dynamic_code_execution

Location: tests/test_ast_analyzer.py:100
Finding: Dynamic code execution detected.

critical

suspicious.dynamic_code_execution

Location: tests/test_scanner.py:87
Finding: Dynamic code execution detected.

critical

suspicious.env_credential_access

Location: skill_scan/scanner.py:596
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: test-fixtures/evasive-04-timebomb/scheduler.js:17
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: test-fixtures/evasive-07-sandbox-detect/check.js:18
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: test-fixtures/legit-api-skill/github.js:9
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: test-fixtures/malicious-skill/helper.js:6
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: tests/test_ast_analyzer.py:53
Finding: Environment variable access combined with network send.

critical

suspicious.env_credential_access

Location: tests/test_scanner.py:94
Finding: Environment variable access combined with network send.

warn

suspicious.obfuscated_code

Location: test-fixtures/evasive-02-encoded/index.js:4
Finding: Potential obfuscated payload detected.

warn

suspicious.potential_exfiltration

Location: test-fixtures/evasive-04-timebomb/scheduler.js:17
Finding: Sensitive-looking file read is paired with a network send.

warn

suspicious.potential_exfiltration

Location: test-fixtures/malicious-skill/helper.js:6
Finding: Sensitive-looking file read is paired with a network send.

warn

suspicious.prompt_injection_instructions

Location: test-fixtures/malicious-skill/SKILL.md:10
Finding: Prompt-injection style instruction pattern detected.

warn

suspicious.prompt_injection_instructions

Location: test-fixtures/prompt-injection-jailbreak/SKILL.md:16
Finding: Prompt-injection style instruction pattern detected.