Skillv1.0.0

ClawScan security

Claude Code Dispatch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 10:53 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent: it legitimately invokes a local 'claude' CLI for file/shell coding tasks and only requires the expected CLI and jq; however, running the subprocess gives that tool access to your working directory and inherited environment variables, so review host permissions and secrets before use.
Guidance: This skill appears to do exactly what it promises — run the local Claude Code CLI to perform file edits and shell work — but that means the subprocess will run with your user's permissions and will inherit environment variables (including API keys). Before installing or running it: (1) confirm the 'claude' binary you install is the official package you trust (inspect package source or vendor), (2) review ~/.claude/settings.json and grant only the minimal tools (avoid granting Bash or broad Read/Edit unless necessary), (3) avoid running the skill in directories containing secrets or private keys, and (4) consider running it in an isolated user account or container if you need to limit blast radius. If you're unsure about the npm package or your environment contains sensitive credentials, treat this skill as high-risk until you audit the local Claude installation and permissions.

Review Dimensions

Purpose & Capability: okThe name/description match the implementation: the skill dispatches prompts to a local Claude Code CLI. Required binaries (claude, jq) and the declared npm/brew installs align with that purpose; there are no unrelated credentials or surprising binaries.
Instruction Scope: noteSKILL.md and the included script keep scope narrowly to invoking the claude CLI in the specified workdir. The script checks inputs, runs claude with JSON output, and truncates results. However the documentation explicitly directs users to pre-authorize tools (Read/Edit/Glob/Grep/Bash), and notes that Claude Code inherits host environment variables — so the delegated process may be able to read/edit files and run shell commands beyond what the OpenClaw agent itself would do.
Install Mechanism: okInstall metadata uses standard package managers: npm package '@anthropic-ai/claude-code' for the 'claude' binary and brew install for jq. No arbitrary downloads, IPs, or extract-from-URL steps are present in the manifest.
Credentials: concernThe skill does not request any environment variables itself, which is appropriate. But the SKILL.md and script acknowledge that the spawned Claude process inherits the host environment (including any API keys). That creates a real risk of exposing secrets to the subprocess or to Claude Code if its permissions allow broad filesystem or shell access. Users should treat this as sensitive and confirm the claude tool and its ~/.claude/settings.json are configured with least privilege.
Persistence & Privilege: okThe skill is not always-enabled and does not request persistent privileges or modify other skills or system-wide agent settings. It runs only when invoked.