Skillv1.0.0

ClawScan security

ClawCompany · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 20, 2026, 3:01 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely matches its stated purpose (orchestrating PM/Dev/Review agents) but contains mismatches (registry metadata vs code/docs), prompt‑injection patterns in SKILL.md, and behaviors that merit careful review before installing.
Guidance: What to check before installing: - Clarify the metadata: the registry says no required env vars but the skill and README require GLM_API_KEY — ask the publisher or inspect the source to confirm required environment variables. - Limit the GLM API key: if you provide one, use a scoped or low-privilege key and rotate it if used for testing. - Run in dry-run and/or a disposable directory first: set DRY_RUN=true and PROJECT_ROOT to an empty test folder to avoid exposing real project files; the spawned agents are given cwd/projectPath and could access files under that directory. - Inspect prompts and agent tasks: SKILL.md contains system prompts and 'return only JSON' directives — review them to ensure there are no instructions that would leak secrets or override safety policies. - Prefer installing from a verified source: README references a GitHub repo and ClawHub; confirm publisher identity and check the repository history for tampering. - If you rely on this skill in production, request the maintainer add declared requires.env metadata (GLM_API_KEY, PROJECT_ROOT) so installs properly inform users. If you want, I can produce a concise checklist / commands to safely test this skill (dry-run, sandboxed directory, which files to inspect in the repo).
Findings: [system-prompt-override] expected: SKILL.md intentionally defines system prompts for PM/Dev/Review agents, so finding 'system-prompt-override' is expected; nevertheless it increases risk because the skill's prompts can influence agent behavior and could attempt to override safeguards. Review the prompts for harmful or overly permissive instructions.

Review Dimensions

Purpose & Capability: noteThe name/description (AI virtual team with PM/Dev/Review agents) aligns with the code and SKILL.md: the package spawns subagents (runtime=subagent) and an 'opencode' dev agent. However registry metadata indicated no required environment variables while both SKILL.md, README, and source code require GLM_API_KEY (and read PROJECT_ROOT/GLM_MODEL/DRY_RUN/VERBOSE). That mismatch between declared requirements and actual code is an incoherence that should be clarified.
Instruction Scope: concernSKILL.md and the source include explicit system prompts and direct calls to sessions_spawn/sessions_history. The skill instructs subagents (and an external 'opencode' agent) to run with a supplied task and sometimes a cwd/project path. This is expected for a code-generation orchestration tool, but it also grants spawned agents contextual access to the specified project directory (cwd) and sends user requests to remote agents. SKILL.md contains prompt-like system directives (e.g., 'return only JSON') and a pre-scan flagged 'system-prompt-override' pattern — expected for agent definitions but worth flagging because skill content can attempt to influence agent/system behavior.
Install Mechanism: okThere is no external download or extract in the manifest; this is essentially an instruction-plus-source package. No install spec was provided in the registry metadata (instruction-only), so nothing appears to fetch arbitrary third-party binaries at install time. A package-lock is present with many dependency entries, but package.json lists only devDependencies and a peer dependency on 'openclaw' — no suspicious remote install URLs were found.
Credentials: concernThe code and README require GLM_API_KEY (GLM-5) and optionally PROJECT_ROOT, GLM_MODEL, VERBOSE, DRY_RUN. The registry metadata listed no required env vars — a clear inconsistency. Requesting GLM_API_KEY is proportionate to running PM/Review agents on GLM-5, but the missing declaration in metadata increases risk because users may not be warned. The skill does not request unrelated cloud credentials, but it does include passing projectPath/cwd to spawned agents which could expose local project files under that path to the agents.
Persistence & Privilege: okThe skill is not 'always: true' and is user-invocable. It does not attempt to modify other skills or system-wide settings in the provided code. It uses platform session APIs (sessions_spawn/sessions_history) which is normal for this kind of skill.