Skillv0.1.0

ClawScan security

Code Runner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 15, 2026, 12:51 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill does what it claims (runs user-provided code by invoking local interpreters/compilers), and its required resources and instructions are proportionate to that purpose, but it runs arbitrary code on the host so users should exercise the usual caution and sandboxing.
Guidance: This skill is internally consistent: it runs code by creating temp files and calling your local language runtimes, which is exactly what a 'code runner' should do. However, running arbitrary code executes with the same privileges as the agent — code can read files, access environment variables, make network requests, and run system commands. Before installing or using it: (1) only run code you trust or run the skill inside a sandbox/container with restricted network and file access; (2) review or test the runner script (scripts/run-code.cjs) — it has a minor bug (uses Date.now without invoking it when forming an output filename) that may affect compiled output naming; (3) ensure interpreters/compilers are present on the host and that the 30s default timeout is acceptable; (4) do not feed sensitive secrets into code executed by this skill. If you need higher assurance, request a full audit of the complete run-code.cjs file and a runbook for safe sandboxing.

Review Dimensions

Purpose & Capability: okName/description match the included script and documentation: the skill ships a runner script that writes code to temp files and invokes language runtimes/compilers. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope: noteSKILL.md limits actions to executing code via the provided script and recommends using stdin; it explicitly warns about security risks (file access, network calls, system commands). The instructions do not instruct the agent to read unrelated files or credentials. However, because the skill's purpose is executing arbitrary code, the runtime can access any files/environment available to the agent — this is expected but important to note.
Install Mechanism: okNo install spec; the skill is instruction-only plus a local Node.js script. Nothing is downloaded from external URLs. The only artifact is scripts/run-code.cjs which will execute when invoked.
Credentials: okThe skill requires no environment variables or external credentials. It does, however, execute user-supplied code which can itself read environment variables or network endpoints — the SKILL.md calls this out. No unexpected secret access is requested by the skill itself.
Persistence & Privilege: okThe skill does not request always: true and is user-invocable only. It does not modify other skills or system-wide configuration. Autonomous invocation is allowed by default but not combined with other concerning privileges here.