Skillv2.2.0

ClawScan security

Max Auth · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 12:23 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches a local auth-server purpose, but there are mismatches (registry metadata omits Node.js requirement), a child-process lookup for Tailscale/hostname, and the package requires npm install — these inconsistencies and a small attack surface (reverse-proxy exposure, files written to home, exec invocation) warrant caution.
Guidance: This skill appears to implement a local auth server that needs Node.js and npm, but the registry metadata omitted the Node requirement — don't rely on the metadata alone. Before installing: (1) review the full auth-server.js (the listing was truncated) to confirm one-time secrets truly stay in memory and are not written to disk; (2) be cautious about exposing the server externally (reverse proxy or Tailscale examples) — only expose it with correct HTTPS and access controls; (3) note the code runs a local shell command ('tailscale status') if available — ensure your PATH and local binaries are trusted; (4) run npm install in an isolated environment (container or dedicated user) if you want to limit blast radius; (5) confirm you are comfortable with files created in ~/.max-auth (password hash, passkeys, audit log). If anything looks unexpected in the missing portions of auth-server.js, do not install or run it until clarified.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and package.json clearly require Node.js (and instruct running npm install), but the registry metadata lists no required binaries; that is an incoherence. The declared purpose (local auth server with WebAuthn and one-time secret forms) does explain the files present and the npm dependency, but the metadata omission could mislead automatic guards or users.
Instruction Scope: noteRuntime instructions are focussed on deploying a local auth server: copying files to ~/.max-auth, running npm install, setting a master password, and starting the server. The instructions intentionally write persistent files under ~/.max-auth (password hash, session, passkeys, audit log) which is consistent with an auth server. The docs also show examples to expose the server via reverse proxies and Tailscale — exposing the server to networks increases risk and requires careful configuration. SKILL.md claims one-time secret values are memory-only; I could not fully verify this because the bundled JS was truncated in the listing.
Install Mechanism: noteThere is no formal install spec; installation is manual (copy files, npm install). The package.json pulls @simplewebauthn/server from npm — a normal dependency for WebAuthn. Because installation is user-run (npm install), there is no direct download-from-arbitrary-URL risk, but users must be aware npm will fetch packages from the registry.
Credentials: noteThe skill declares no required environment variables in registry metadata, yet the code reads optional env vars (AUTH_PORT, RP_ID, RP_ORIGIN). No unrelated credential values are requested. However, code attempts to run a child_process to call 'tailscale status --json' to determine RP_ID: this probes system state outside the described auth-server core (it’s a convenience for auto-detecting an origin but is an unexpected side-effect).
Persistence & Privilege: noteThe server persists configuration and logs under the user's home (~/.max-auth) and the documentation includes a systemd example for persistent running under the user account. It does not request system-wide privileges by default (no always: true). Running it as a system service or exposing it through a reverse proxy/Tailscale raises additional risk but is an explicit operator choice in the docs.