Skillv1.0.1

ClawScan security

clawhub · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 1:19 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill does what it claims (search and download skills) but it downloads and extracts arbitrary ZIP packages from an unexpected third-party API host with no integrity checks, which is a supply-chain risk.
Guidance: This skill implements a registry search/download tool, but it downloads skill ZIPs from an unexpected third-party host (wry-manatee-359.convex.site) rather than the public clawhub.ai domain and does not verify signatures or checksums. Installing will copy whatever is in those ZIPs into ~/.agents/skills so the agent may later execute them. Before installing: (1) confirm the API host is legitimate (ask the publisher or verify DNS/TLS ownership for clawhub.ai vs convex.site), (2) prefer installers that use verified release hosts or cryptographic signatures, (3) inspect downloaded packages manually before copying them into your skills directory, or run the downloader inside a sandbox/container, and (4) if you need stronger assurance, request that the skill be updated to verify checksums or signatures and to use the official ClawHub API/host. If you do not trust the remote host or cannot validate provenance, do not install.

Review Dimensions

Purpose & Capability: concernName/description match the included scripts: the two bash scripts implement searching and downloading skills and installing them to ~/.agents/skills/clawhub-skills/<slug>. However, the SKILL.md and scripts use an API host (https://wry-manatee-359.convex.site) rather than the public site name (clawhub.ai). Requesting to download and install arbitrary skill packages is functionally consistent with a 'registry downloader' but the unexpected API domain and lack of provenance/verification is disproportionate to the stated purpose and warrants caution.
Instruction Scope: concernRuntime instructions and the scripts perform network fetches, validate the ZIP format superficially, then extract and copy all files into the agent's skills directory (~/.agents/skills/...), thereby installing arbitrary code that the agent may later execute. The scripts do not verify signatures, checksums, or any publisher identity and do not restrict which files can be installed. They do not read unrelated system credentials, but they grant execution capability to remote-provided code.
Install Mechanism: concernThere is no platform install spec, but the included downloader script performs a direct curl download from a third-party convex.site subdomain and extracts the archive locally. The download URL is not a well-known release host (e.g., GitHub releases) and the archive is extracted without cryptographic verification—this is a higher-risk install pattern (remote archive -> local extraction -> execution potential).
Credentials: okThe skill does not request environment variables, credentials, or config paths beyond writing to ~/.agents/skills. It also checks for required local binaries (curl, unzip, jq) before running. No unrelated secrets are requested.
Persistence & Privilege: noteThe skill is not always-enabled and does not modify other skills. It installs packages into the user's skill directory, which is normal for an installer but gives installed skills persistent presence and the same runtime privileges as other skills—those installed packages could be executed autonomously by the agent (default behavior).