Skillv1.1.1

ClawScan security

Claw Secure Auditor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 4, 2026, 2:02 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's docs and metadata claim VirusTotal/sandbox features and request an API key, but the included code only performs local static checks and self-whitelists itself — the mismatch is suspicious and needs author clarification before trust.
Guidance: What to consider before installing or running this skill: - The package materials conflict: SKILL.md declares VirusTotal integration and an API key, but the included script only does local static pattern scanning. Ask the author to explain the mismatch and provide source for any network/sandbox components before trusting external features. - Do not supply a VIRUSTOTAL_API_KEY or other secrets unless you confirm the tool actually uses that API and you trust the author. Right now the key is unnecessary according to the code. - The tool auto-whitelists itself (SELF_WHITELIST = ['claw-secure-auditor']), so its own self-audit will always be marked Safe. Do not rely solely on this tool's results to make security decisions—perform independent/manual review or use multiple scanners. - If you want to run it: inspect the Python file yourself or run it in a disposable environment (container or VM) on a non-sensitive copy of the target skill. That ensures the code does what you expect and can't access real credentials. - Recommended next steps before trusting the skill: request an authoritative source URL and release (the homepage shows a placeholder), request clarity on whether VirusTotal/sandbox features exist and provide code for them, and confirm why registry metadata differs from SKILL.md. If the author cannot justify the discrepancies, treat the tool as untrusted.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and README advertise static + sandbox + VirusTotal reputation scoring and include metadata that declares VIRUSTOTAL_API_KEY and a 'requests' dependency, but the actual auditor script only implements local static analysis (pattern scanning) and scoring. The registry metadata at the top lists no required env vars, which contradicts the SKILL.md metadata. Requiring a VirusTotal API key or network requests would be reasonable for a reputation feature — but the code does not use network calls or the requests library, so the declared capabilities and requirements are inconsistent with the implemented capability.
Instruction Scope: concernRuntime instructions tell users how to run 'quick', 'full', and 'before-publish' audits and advise optionally setting VIRUSTOTAL_API_KEY; but the script only scans files for patterns and never performs sandboxing or external reputation lookups. The instructions therefore overstate what the tool does. The SKILL.md also claims 'read-only' and 'no external writes' which matches the code, but the mention of sandbox and VirusTotal is unsupported and grants the skill broader expected behavior than implemented.
Install Mechanism: okThere is no install spec (instruction-only), and the tool is delivered as a small Python script included in the package. This is low-risk from an install mechanism perspective because nothing is downloaded or extracted during install. Note: SKILL.md metadata lists a uv package installation for 'requests', but there is no actual install spec in the registry and the script does not import or use 'requests'.
Credentials: concernSKILL.md metadata and the top of the doc suggest VIRUSTOTAL_API_KEY is used, but the included auditor.py does not read environment variables or call VirusTotal — requesting an API key (a sensitive credential) is not justified by the code. The script also contains a SELF_WHITELIST that auto-marks the skill as safe when auditing itself; this behavior is reasonable for self-audits but can be misleading or abused if not clearly documented.
Persistence & Privilege: okThe skill does not request persistent privileges (always:false) and the code claims read-only behavior. The script reads files in the target skill path but does not modify files or alter other skills' configurations. This aligns with expected privilege levels.