Skillv0.2.0

ClawScan security

Store Onboarding · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 22, 2026, 10:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions match an onboarding workflow that legitimately needs admin passwords and bearer tokens, but the skill metadata does not declare any required credentials and other minor inconsistencies increase risk — review before use.
Guidance: This skill appears to implement a legitimate store onboarding flow, including setting an admin password and obtaining a bearer token. However, the skill metadata does NOT declare required credentials even though SKILL.md says credentials will be used — that's an inconsistency you should fix or confirm before using. Before installing or running: 1) Confirm the skill source and trustworthiness; 2) Only provide the admin password and bearer token interactively, never as persistent env vars or files; 3) Require the agent to ask for explicit consent and to confirm the target store URL (to avoid mis-targeting); 4) Test the flow on a non-production instance first; 5) Ask the publisher/maintainer to update registry metadata to declare the credential types (primary credential) so the platform can protect them. If you cannot verify the source or the metadata is not fixed, consider the skill suspicious and avoid using it for production stores.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly describes setting an admin password and obtaining a Bearer token (sensitive operations appropriate for an onboarding skill). However, the registry metadata declares no primary credential and no required env vars/config paths. That mismatch is unexpected: a skill that handles admin credentials should declare that in its metadata so callers/platform can enforce protections.
Instruction Scope: noteThe runtime instructions stay within the stated onboarding scope: checking /v1/system/setup, POSTing to /v1/system/setup to set the admin password, then using /platform/v1/auth/tokens and profile/settings/media endpoints. The doc explicitly requires explicit user consent before making API calls and warns not to store secrets. It does not instruct the agent to read unrelated files or system state. One place to watch: the instructions assume the agent or user supplies the correct store URL and do not prescribe hostname verification or ways to confirm the target is the intended store (a potential for mis-targeting/social-engineering).
Install Mechanism: okInstruction-only skill with no install spec and no code files. This minimizes disk-write/execution risk — the skill will only run the agent's normal networking/IO actions per the SKILL.md.
Credentials: concernThe SKILL.md declares requires_credentials: true and enumerates 'Admin password' and 'Bearer token' as credential types, but the registry metadata lists no required env vars and no primary credential. That inconsistency means the platform cannot automatically protect or surface required secrets. The number and sensitivity of credentials (admin password / bearer token) are proportional to onboarding, but they should be declared in metadata so the agent/platform can handle them securely.
Persistence & Privilege: noteThe skill is not always-enabled and has no install persistence. Autonomous invocation is allowed (platform default). Because this skill deals with sensitive credentials, autonomous runs combined with the metadata omission raise risk: ensure the agent will solicit explicit consent at runtime and will not persist or leak credentials. The SKILL.md does instruct not to store or log secrets.