Back to skill
Skillv1.0.0
ClawScan security
Hostname Tool · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 28, 2026, 9:05 PM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description and docs claim features (setting hostname, --fqdn, --ip-address) that are not implemented by the included code; otherwise the code appears simple and low-risk.
- Guidance
- The package is small and the script just prints Python's socket.gethostname(), so it looks harmless, but the documentation promises additional features that are not implemented. If you need a tool that can set hostnames, compute FQDNs, or resolve IP addresses, do not rely on this skill as-is. Before installing or running it: (1) review the script contents yourself (it's short), (2) run it in a sandbox or non-production environment, and (3) avoid running unknown tools as root. If you expect the documented features, ask the publisher for a corrected version or use an alternative utility that explicitly implements those capabilities.
Review Dimensions
- Purpose & Capability
- concernThe skill claims to 'Display or set the system hostname' and documents options (--fqdn, --ip-address, changing hostname) but the included script only prints socket.gethostname() and offers no CLI parsing or hostname-setting functionality. This is a clear mismatch between claimed capability and actual implementation.
- Instruction Scope
- concernSKILL.md describes commands that would display FQDN, associated IP, and change the hostname (requiring root). The runtime instructions do not appear in the shipped code: there are no flags, no logic to compute FQDN/IP, and no code to change system hostname. The instructions therefore overreach the actual runtime actions.
- Install Mechanism
- okNo install spec is provided and only a tiny Python script is included. Instruction-only with a small helper script is low-risk from an installation perspective.
- Credentials
- okThe skill requests no environment variables, credentials, or config paths. The code uses only Python's socket.gethostname() and does not access secrets or external network endpoints.
- Persistence & Privilege
- okThe skill does not request persistent presence, does not modify other skills or system config, and does not require any special platform flags. The SKILL.md notes that changing hostname would require root, which is accurate but not implemented in the code.