Skillv1.0.0

ClawScan security

Run · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 6:24 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The SKILL.md describes a powerful, host-level execution environment but provides no implementation, install steps, or concrete safeguards — the design is plausible but the claims and the lack of detail are inconsistent and give the agent broad, vague authority to run code.
Guidance: This SKILL.md reads like a high-level specification rather than an implemented, reviewable feature. Before installing, ask the publisher for: (1) implementation code or an install spec showing how sandboxing, network isolation, and biometric confirmation are enforced; (2) a list of required host binaries, services, and credentials (e.g., gVisor, Firecracker, cloud keys) and why each is needed; (3) an access-control and audit plan (how executions are logged, who can approve high-risk actions, how whitelists are managed); (4) provenance (who operates the runtime and where it runs). If you cannot review an implementation, avoid enabling autonomous invocation for this skill and prefer manual invocation only. Treat this skill as potentially dangerous until its concrete implementation and least-privilege controls are provided and reviewed.

Review Dimensions

Purpose & Capability: noteThe name and description match the SKILL.md: this is intended as a universal execution primitive. However, the document claims hardware-level sandboxing (gVisor/Firecracker), network isolation, biometric confirmations, and deployment to cloud-edge nodes while the skill is instruction-only and requests no binaries, installs, or credentials. Those runtime capabilities would require privileged host components and install steps that are not declared — a mismatch between claims and what the skill actually requires/provides.
Instruction Scope: concernThe instructions grant broad, open-ended authority: 'execute' arbitrary code snippets with auto-dependency injection, 'automate' long-running jobs, and 'deploy' to production/edge. The SKILL.md is high-level and lacks concrete, enforceable steps for how sandboxing, network whitelisting, or biometric confirmations are implemented. Vague guidance like this gives the agent wide discretion to run or schedule arbitrary code without clear, auditable constraints.
Install Mechanism: noteThere is no install spec or code — instruction-only. That is lowest-risk from a supply-chain perspective, but it also means the file is purely a policy/behavior description and cannot actually provide the claimed sandboxing or system-level protections. The absence of an implementation is itself a security and trust problem.
Credentials: noteThe skill declares no required environment variables, binaries, or config paths, which on the surface is proportionate. However, its stated capabilities (deploying to cloud-edge, integrating hardware sandboxes) typically require credentials, host agents, or binaries; their absence is an unexplained inconsistency.
Persistence & Privilege: concernalways is false (good) but model invocation is allowed (default). Because the SKILL.md authorizes running arbitrary code and scheduling automated tasks, allowing autonomous invocation increases risk: an agent could trigger executions without clear, enforceable controls. The combination of vague execution authority and autonomous invocation is concerning.