ClawHub
Back to skill
v1.0.0

Ping Tool

BenignClawScan verdict for this skill. Analyzed Apr 30, 2026, 9:06 PM.

Analysis

This is a simple ping utility with no evidence of malicious behavior, though it can send network probes and its metadata/documentation are slightly incomplete.

GuidanceThis skill appears safe for ordinary network diagnostics, but only use it to ping systems you are authorized to test. Be aware that the included script is simpler than the documentation suggests: it hard-codes four ping attempts and may not support the listed options.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
ping-tool [options] <hostname>

The skill lets the agent direct ping traffic to an arbitrary hostname. This is purpose-aligned for network diagnostics, but users should only test hosts they are authorized to contact.

User impactThe skill can generate network traffic to remote systems, which may be inappropriate on unauthorized targets.
RecommendationUse it only for legitimate diagnostics on hosts you own, manage, or have permission to test.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
scripts/ping.py
subprocess.run(["ping", "-c", "4", sys.argv[1]])

The script depends on an external system ping binary, while the metadata declares no required binaries. This is expected for a ping tool but is an under-declared dependency.

User impactThe skill may fail or behave differently depending on the local operating system's ping command.
RecommendationConfirm that the intended system ping utility is available before relying on the skill.
Unexpected Code Execution
SeverityLowConfidenceHighStatusNote
scripts/ping.py
subprocess.run(["ping", "-c", "4", sys.argv[1]])

The script launches a local system command. It does not use shell=True and the command is directly related to the stated ping purpose, but local command execution is still behavior users should notice.

User impactInstalling or invoking the skill may run the local ping program and create outbound ICMP traffic.
RecommendationReview the target host before invocation and avoid using it in environments where outbound diagnostic traffic is restricted.
Human-Agent Trust Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
- `-c N`: Send N packets then stop
- `-i N`: Wait N seconds between packets
- `-s N`: Set packet size
- `-t N`: Set timeout in seconds

The documentation advertises several options, but the bundled script hard-codes four packets and only uses the first argument as the host. This is a documentation/capability mismatch rather than evidence of deception.

User impactUsers may expect options such as packet count, interval, size, or timeout to work when the provided script does not implement them.
RecommendationTreat the documented options as unverified unless the actual installed command supports them.