Skillv1.1.1

ClawScan security

Factory · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 10:06 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its stated goal (installing a multi-skill toolkit and optional MCP server) but they rely on high-risk install patterns (npx, GitHub plugin installs, and a curl | sh installer) and ask the agent to modify agent/server configs and auto-start services—these behaviors are coherent with the purpose but are potentially dangerous and deserve manual review before running.
Guidance: This skill appears to do what it says, but it uses risky install patterns (npx, GitHub plugin installs, and a curl | sh installer) and will modify agent/server configuration to auto-start services. Before installing: 1) Inspect the referenced GitHub repo (https://github.com/fortunto2/solo-factory and solograph) and review release artifacts and install scripts; 2) Avoid piping remote scripts to sh — download, inspect, and verify signatures/checksums first; 3) Prefer cloning the repo and running installs in a disposable VM/container or sandbox; 4) Expect interactive logins or elevated permissions for clawhub/claude/mcporter and verify what accounts will be used; 5) Backup any .mcp.json or agent config files before applying changes; 6) If you cannot audit the code, treat automatic installs and auto-starting MCP services as high risk and do not run them on production machines.

Review Dimensions

Purpose & Capability: okThe name/description claim a one-command installer for a 23-skill toolkit plus optional solograph MCP; the SKILL.md contains concrete commands (npx, clawhub, claude plugin, mcporter/.mcp.json edits, uvx solograph) that implement that purpose. No unrelated credentials or bizarre side effects are requested in the instructions.
Instruction Scope: concernInstructions tell the agent to run remote installers, install plugins across multiple agent platforms, and modify agent MCP configuration (.mcp.json, mcporter). They do not ask to read unrelated host files or environment variables, but they do instruct actions that give the installed components broad, persistent capabilities (auto-starting MCP, adding hooks).
Install Mechanism: concernThere is no formal install spec in the registry, but the runtime instructions direct use of npx (executes remote packages), claude plugin installs from a GitHub URL, and explicitly suggest a curl -LsSf https://astral.sh/uv/install.sh | sh command — downloading and piping a script to sh is high risk. The instructions do not provide pinned releases, checksums, or verification steps.
Credentials: noteThe skill declares no required environment variables or secrets, which is consistent. However some of the suggested flows (clawhub install, claude plugin install, mcporter config) may require account credentials or elevated access at runtime even though they are not declared — the documentation does not warn about or justify these implicit auth/permission requirements.
Persistence & Privilege: concernThe installer configures long-running components (solograph MCP), suggests MCP auto-start and adding hooks/plugins across agents, and edits agent configuration (mcporter/.mcp.json). While plausible for a toolkit installer, these are persistent, cross-agent changes that increase the blast radius if the installed code is malicious or buggy.