Skillv1.4.0

ClawScan security

HANHANLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 25, 2026, 7:05 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and instructions largely match a China-focused hotel comparison tool, but there are red flags—hidden/unusual characters detected in the SKILL.md, references to local storage and device/session identification without declaring the need for filesystem or system-level access, and an included script whose runtime behavior wasn't shown—so proceed with caution.
Guidance: What to check before installing or enabling this skill: 1) Inspect scripts/hotel-search-example.sh and the two omitted files for network destinations and shell commands. Ensure they only call well-known public endpoints (platforms or official hotel sites) and don't POST data to unknown servers. 2) Search all files for hidden/unprintable/unicode control characters and for the DSML-like blocks. Confirm any web_fetch or tool-invoke calls only use trusted domains (no personal servers, IP addresses, pastebins, or URL shorteners). 3) Clarify persistence: the docs describe storing user and family data and device/session recognition but the skill metadata does not request filesystem or config-path access. If you plan to allow history/profile persistence, require transparency about where data will be stored, encryption, and deletion workflows. 4) Verify that no credentials (payment, platform API keys) are being collected or required. If the skill needs APIs for deeper integration, demand explicit declared env vars and a privacy/security rationale. 5) Run the skill in a sandboxed environment first (or with network monitoring) to confirm it only fetches public pages for price checks and does not exfiltrate data. If you are not comfortable with hidden characters, undeclared filesystem usage, or unreviewed shell scripts, do not install or enable the skill until the maintainer provides cleared source (human-readable script contents), an explanation of the DSML/web_fetch invocations, and an explicit description of data persistence behavior and storage locations.
Findings: [unicode-control-chars] unexpected: The SKILL.md and other markdown files contain DSML tags and/or hidden/unusual characters flagged by the scanner. Hidden/unicode-control characters can be used to obfuscate instructions or hide tool-invocation directives; this is not expected for plain documentation and should be investigated. The package-value-analysis file contains a <｜DSML｜invoke name="web_fetch"> block which may be legitimate, but the control-character finding increases risk of concealed directives.

Review Dimensions

Purpose & Capability: noteThe skill's name/description (China hotel comparison) aligns with the files and algorithms included (search strategies, price calculation, recommendation engine). Requesting no credentials and no binaries is reasonable for an instruction-only skill that uses web fetching. However, the docs also describe device/environment recognition, session IDs, and local storage paths (/users/{user_id}/private/, /families/{family_id}/shared/) which imply filesystem access and persistent storage that are not declared in the metadata; this mismatch is noteworthy.
Instruction Scope: concernSKILL.md and the included docs instruct the agent to perform multi‑platform real-time queries and to collect and persist user profiles, history, and device/session signals. They reference reading implicit signals (dialog style, device/environment) and storing per-user and per-family data in filesystem-like paths. The package-value-analysis file also contains an embedded DSML/web_fetch invocation to a public Disney URL (expected), but the presence of unicode-control-chars and DSML tags suggests the runtime instructions may include hidden or non-obvious tooling directives. The skill does not declare that it will read or write local paths or access system identifiers—this is a scope mismatch and could enable broader data access than the metadata suggests.
Install Mechanism: okThere is no install spec; this is instruction-only plus documentation and one example script. No packages or external archives are downloaded by the skill metadata, which reduces installation risk. The only potential install/runtime risk is the included script file (scripts/hotel-search-example.sh) whose contents were not provided in the evaluation text; that file could perform network or system operations at runtime and should be inspected before use.
Credentials: concernThe skill declares no required environment variables or credentials (appropriate for a read-only comparison tool). However, the documentation explicitly discusses storing personal data, family-shared data, and device/environment recognition—operations that could require filesystem access, device identifiers, or additional permissions. Because those capabilities are not reflected in requires.env or required config paths, the requested/declared environment is under-specified relative to the behavior described.
Persistence & Privilege: notealways:false and normal autonomous invocation are in place (no elevated persistent privilege declared). The documentation does describe persistent storage locations and a learning/feedback loop (history learning, profiles, shared family storage). That behavior implies the skill expects to persist user data but the metadata does not declare any config paths or permissions; this mismatch should be resolved. There is no explicit claim that the skill will modify other skills or system-wide settings.