ClawHub
Back to skill
v1.0.0

Sha Tool

BenignClawScan verdict for this skill. Analyzed May 2, 2026, 9:30 PM.

Analysis

This appears to be a simple local SHA-256 hashing utility with no evidence of network access, credential use, persistence, or destructive behavior.

GuidanceThis skill looks safe for local checksum use. Before installing, confirm how the `sha-tool` command is actually provided and note that the included script only computes SHA-256, despite the documentation mentioning additional SHA algorithms.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
sha-tool [options] <algorithm> <file>

The documented command and multi-algorithm interface are not matched by the provided manifest, which only includes a small `scripts/sha256.py` implementation. This may affect usability or provenance clarity, but does not show malicious behavior.

User impactThe skill may not work exactly as documented unless a separate wrapper or command is provided elsewhere.
RecommendationVerify how `sha-tool` is installed or invoked, and expect only SHA-256 support from the included script unless additional reviewed files are supplied.
Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/sha256.py
data = open(sys.argv[1], 'rb').read() if sys.argv[1:] else sys.stdin.buffer.read()

The script reads a file path supplied on the command line or data from stdin, which is expected for a hashing utility and is not paired with network transmission or mutation.

User impactIf invoked on a sensitive file, the tool can read it locally to compute a digest, but the artifact only prints the hash value.
RecommendationUse it only on files you intend to hash, and avoid giving the agent broad, unspecific file-selection instructions.