Skillv0.1.4

ClawScan security

Fix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 15, 2026, 2:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (fixing agent behavior) is plausible, but its runtime instructions require searching and editing the agent's skills/rules/hooks and deleting session TODOs without declaring or constraining that access — a mismatch that could lead to undesired or broad modifications.
Guidance: This skill asks the agent to search and edit your agent's skills, rules, hooks, and settings but doesn't declare those config paths or show how edits are reviewed. Before installing: 1) Ask the publisher to explicitly list required config paths and exactly how file edits are made. 2) Require the skill to present a human-readable diff and obtain explicit approval for each change (do not allow blind writes). 3) Verify what TodoWrite does and whether its TODOs persist beyond the session; require a way to inspect and delete them. 4) Back up ~/.claude, ~/.agent, and settings.json before first use and run the skill in a sandboxed environment. 5) If you want extra caution, restrict this skill to manual invocation only and require confirmation prompts for any modification to other skills or hooks.

Review Dimensions

Purpose & Capability: concernThe skill's goal (root-cause analysis and preventing recurrence) reasonably requires inspecting and updating agent rules/skills/hooks. However, SKILL.md instructs the agent to read and modify specific user/agent config paths (~/.claude/skills, ~/.agent/rules, settings.json, failed-attempts.md) even though the registry metadata declares no required config paths or elevated access. That mismatch between claimed requirements and actual instructions is concerning.
Instruction Scope: concernThe instructions mandate a first action (TodoWrite) and then require Grep/Glob searches and edits across multiple agent config locations, applying a 'skill-kit upgrade' and adding hooks. These steps give the agent broad discretion to change other skills and settings, and the procedure text is permissive/vague about how edits are made or reviewed (no explicit safety checks, diffs, or user approvals for file-modifying actions).
Install Mechanism: okNo install spec and no code files — instruction-only — so nothing is written to disk by an installer. This reduces supply-chain risk relative to downloadable installs.
Credentials: concernThe skill declares no required env vars or config paths, but the runtime steps explicitly reference many internal config locations and imply read/write access to them. Declaring those paths and required permissions is expected for a skill that modifies agent internals; the omission is a proportionality/information gap.
Persistence & Privilege: concernalways:false (not force-included), but the skill's instructions explicitly direct modification of other skills, rules, and settings (system-wide agent configuration). Per evaluation rules, modifying other skills/configs is a high-privilege action and should be surfaced and constrained; the SKILL.md allows such changes without requiring explicit user confirmation or preserving audit diffs.