Skillv1.0.1

ClawScan security

Ghostclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 3:36 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions broadly match an architectural-review tool, but there are several mismatches and omissions (missing referenced modules/files, undeclared GH_TOKEN usage, and hook/auto-PR capabilities) that make the package inconsistent and worth closer inspection before trusting it with repository access or credentials.
Guidance: What to consider before installing or enabling Ghostclaw: - Missing/undeclared pieces: The code references helper modules (ghostclaw.lib.* like VibeCache, GitHubClient, Notifier) that are not present in the provided manifest. This will likely break at runtime — ask the publisher for the full package or inspect the missing files before use. - Credentials: The tool uses GH_TOKEN (or --gh-token) and can open PRs and push branches. Do NOT supply a full-all-scopes token. If you must provide a token, create a narrowly-scoped GitHub token with the minimum permissions (or use gh CLI auth with limited scope), and only for repositories you trust. - Hooks & autonomy: Enabling the hook gives the skill ongoing access to analyze and modify repositories on events. Only enable hooks if you trust the author's provenance and reviewed the code. The skill is not 'always' forced on by default, but enabling hooks grants background capability. - Self-update risk: The CLI can run 'git pull' and 'pip install' to update itself. That means new code could be pulled and executed. Prefer installing from pinned, auditable releases or from a trusted package index; avoid enabling automatic self-updates without review. - Run in isolation first: Try running the tool in a sandbox or on a non-sensitive/local test repo to observe behavior (and confirm missing modules) before letting it scan important repos or giving it credentials. - Ask for provenance: The registry lists no homepage/official source in metadata; HOOK.md references a GitHub URL. Verify the upstream repository, publisher identity, and release artifacts before trusting automated write/PR behavior. If you want, I can: (1) list the exact import/filename mismatches found so you can ask the author for missing files, or (2) suggest exact minimal GitHub scopes for a token if you decide to run it with limited privileges.
Findings: [no_pre_scan_signals] expected: The regex-based pre-scan reported no injection signals. That doesn't offset the other inconsistencies (missing referenced modules, undeclared env vars). Absence of findings is not proof of safety.

Review Dimensions

Purpose & Capability: noteName/description align with the included analyzer, watcher, and CLI code: the package is built to scan repos, compute metrics, and optionally open PRs. However some source references (ghostclaw.lib.* modules like VibeCache, GitHubClient, Notifier) are referenced by the CLI/watcher but are not present in the provided file manifest or file listing — this is an internal inconsistency that will likely cause runtime failures.
Instruction Scope: concernSKILL.md and HOOK.md instruct the agent to clone/pull repositories, scan arbitrary repositories (local or remote), write timestamped report files into target repositories, and open PRs automatically. Those instructions imply reading and modifying arbitrary repos on disk and network access to GitHub; those behaviors are consistent with the stated purpose but are sensitive (access to repo contents and the ability to create commits/PRs). The skill also instructs being run as a hook reacting to system/command events — this expands its runtime surface significantly if enabled.
Install Mechanism: noteNo formal install spec in registry; SKILL.md suggests 'pip install -e .' and the code contains an update routine that uses git pull or pip to self-update. There are no suspicious remote download URLs in an install spec, but the self-update logic will run 'git pull' and 'pip install' which can execute code fetched from whatever remote the installed package is tracking — this is standard but worth noting if provenance is uncertain.
Credentials: concernThe registry metadata lists no required env vars, but SKILL.md and code clearly expect credentials: GH_TOKEN (or --gh-token / gh CLI auth) for PR automation, optional Telegram tokens for notifications, and it uses dotenv. These credentials are not declared in requires.env. The skill asks for ability to run 'gh' and 'git' and to write into repos; those privileges should be considered sensitive and should be tied to explicitly-declared, scoped credentials. The mismatch between what's declared and what the code uses is problematic.
Persistence & Privilege: notealways:false (good). However HOOK.md documents enabling Ghostclaw as an OpenClaw hook that listens to command/system events and can run automatically and open PRs. Enabling such a hook gives ongoing background access to analyze and modify repos — a powerful capability that should only be granted if you trust the skill's provenance. The skill itself does not request to be always-enabled, but can be made persistent by user action.