Skillv1.2.1

ClawScan security

Agent Hush · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 5:04 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions match its stated purpose (local secret-scanning and sanitization) but the SKILL.md directs silent, automatic interception, background scans, and automatic in-place fixes/pushes which are intrusive and warrant review before installation.
Guidance: This skill appears to implement a local secret scanner and sanitizer, but its runtime rules instruct the agent to run silent, automatic scans and to auto-replace and push high-confidence findings. Before installing: 1) Audit scripts/sanitize.py yourself (search for network/socket/HTTP calls, remote endpoints, or suspicious subprocess use) to confirm 'local-only' behavior. 2) Test the tool in a disposable repo with --dry-run/export to verify backups and sanitization behavior. 3) Disable or require explicit confirmation for automatic fixes/pushes (avoid silent auto-push) or disable background heartbeat scans until you trust it. 4) Verify where allowlist/backups are stored and that they don’t leak secrets. 5) If you lack time to audit, prefer manual invocation only (run scans yourself) rather than enabling automatic interception. If you want, I can point out exact places in sanitize.py to inspect for network/exfiltration calls.

Review Dimensions

Purpose & Capability: okName/description, shipped scripts (sanitize.py + gitleaks converter) and commands in SKILL.md align with a local secret-detection/sanitization tool. No unrelated env vars or binaries are requested.
Instruction Scope: concernRuntime instructions require the agent to automatically intercept 'ANY outbound action' (push/publish/share), run scans, perform automatic high-confidence replacements, and in some examples commit/push on the user's behalf — and to keep many operations silent ('proceed silently' for clean scans). That broad, hidden behavior is intrusive and could surprise users; you should confirm exactly when the agent will modify files, commit, or push and whether those actions require explicit user consent in your environment.
Install Mechanism: okNo download-from-URL or external installer is embedded in the skill package provided; this is an instruction+script skill with no external install spec. The included docs reference clawhub/npm for installation, which is expected for agent skills but not part of the skill itself.
Credentials: noteThe skill requests no extra environment variables or secrets, which is proportionate. However it performs git operations (push/replace) via subprocesses and will rely on the agent's existing git credentials to push changes — so it can operate on remote services using your auth. It also writes allowlist and backups into project directories (persisting state on-disk).
Persistence & Privilege: notealways:false (good). The agent is allowed autonomous invocation (normal), and SKILL.md expects the agent to run background/heartbeat scans and persist allowlists/backups in workspaces. Combined with automatic in-place fixes and pushes, this increases the blast radius if misconfigured — consider restricting autonomous triggers or requiring explicit confirmation before any push.