Skillv1.0.0

ClawScan security

Elcano Superpowers · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 5, 2026, 12:59 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions align with its stated goal (structured TDD-driven multi-file changes) but they expect unrestricted access to repository files, git operations, test/runtime commands, and process restarts while declaring no required credentials or environment details — an incoherence that could lead to unintended or dangerous actions if run autonomously.
Guidance: This skill is coherent in purpose (it prescribes careful planning, tests-first implementation, and reviews) but it instructs the agent to perform powerful repo and runtime operations while declaring no credentials or environment requirements. Before installing or enabling this skill: - Require explicit human approval for any 'git push', 'deploy' or 'PM2 restart' steps (do not allow automatic pushes to protected branches or automatic restarts without manual confirmation). - Restrict agent permissions: give it read-only access where possible during planning; provide narrowly scoped deploy keys/accounts for any required pushes and restarts; prefer CI/CD for final pushes and deploys. - Verify local tooling: ensure node/npm, test runners, and PM2 are available in the runtime environment and understand which user account will execute commands. - Audit and review every generated plan before execution; insist on the 'design approved' HARD GATE and keep the approval manual and auditable. - Limit sub-agent network access and model choices if possible; avoid allowing sub-agents to exfiltrate repository contents or secrets. If you cannot enforce these controls (manual gating, least-privilege deploy keys, CI-based deploys), treat this skill as risky and avoid enabling autonomous execution. If you can enforce them, the skill can be useful but still requires operational safeguards.

Review Dimensions

Purpose & Capability: noteThe name/description (structured development with sub-agents, TDD, multi-file changes) matches the SKILL.md: it describes planning, tests-first tasks, commits, and sub-agent execution. However, the skill declares no required env vars, binaries, or config paths even though its workflow explicitly requires filesystem and VCS access, a test runner (npm), and deployment/runtime control (PM2). The missing declarations are a proportionality/visibility gap rather than a direct mismatch in purpose.
Instruction Scope: concernThe SKILL.md instructs the agent to read repository files and recent commits, create and modify exact file paths, run tests (npm test), commit, git push, and restart PM2 — plus produce screenshots for UI tasks. It also prescribes spawning fresh sub-agents per task. Those are powerful actions that go beyond passive guidance: they are operational steps that can modify code and production state. The instructions do not explicitly require an explicit human approval gate for git push / PM2 restart (the plan approval gate exists but could be automated), nor do they limit what paths/branches may be modified. This broad operational scope is noteworthy and could be dangerous if executed without strict human control.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest install risk. Nothing will be written to disk by an installer as part of skill setup.
Credentials: concernThe skill requests no environment variables or credentials in its manifest, but its runtime instructions require capabilities that typically depend on credentials or privileged access: git push (SSH keys or git credentials), running npm tests (node/npm installed), and restarting PM2 (server/process control). The absence of declared required credentials/config paths is an incoherence: a legitimate implementer should document what credentials, user accounts, or host access the skill expects and what minimum privileges are needed.
Persistence & Privilege: notealways is false (good) and autonomous invocation is allowed (the platform default). The real risk is operational: the skill's normal flow includes git push and PM2 restarts, which can be executed by an agent if allowed. That combination (autonomous invocation + ability to perform repo pushes and process restarts) increases blast radius but is not in itself flagged by the skill metadata — users should ensure manual gating or least-privilege controls before enabling autonomous runs.