Skillv1.4.8

ClawScan security

HardStop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 12:50 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The SKILL.md claims to be an LLM “instruction layer” for a local Hardstop plugin and tells the agent to run local scripts and read/write files, but the skill bundle contains no install, no code, and no declared filesystem requirements — this mismatch is concerning and needs clarification before trusting the skill.
Guidance: This skill's instructions assume a locally installed Hardstop plugin and local scripts at paths like ~/.claude/plugins/hs/commands/hs_cmd.py and ~/.hardstop/skip_next, but the skill package provides neither an installer nor code. Before installing or enabling this skill: (1) Verify whether you already have the referenced Hardstop plugin installed; inspect the exact paths and confirm the python scripts exist and are from a trusted source (check the GitHub repo mentioned in SKILL.md). (2) If you do not have the plugin, do not enable the skill expecting it to enforce command blocking — either obtain and review the plugin installer code or ask the skill author for an install spec. (3) Be cautious about allowing the agent to run commands that modify files in your home directory or to execute /hs skip behavior; test in a sandbox or VM first. (4) If you proceed, ensure the plugin code is audited (or comes from a verified release) and consider restricting autonomous agent invocation until you confirm the hook behavior. If you want, I can (a) fetch and summarize the referenced GitHub repo for you, or (b) list specific checks to verify the local scripts before enabling the skill.

Review Dimensions

Purpose & Capability: concernThe skill describes runtime behavior that depends on a locally installed plugin (python ~/.claude/plugins/hs/commands/hs_cmd.py, ~/.hardstop/skip_next, hooks that block commands). However the published skill is instruction-only (no install spec, no code files, no required binaries). Either the skill assumes an out-of-band installation of the plugin or the bundle is incomplete; both are plausible but the lack of alignment is incoherent.
Instruction Scope: concernThe SKILL.md instructs the agent to inspect and act on arbitrary shell commands, to run local python scripts, to check and modify files under the user home (e.g., ~/.hardstop/skip_next, ~/.claude/plugins/hs/...), and to block reads of credential files. Those file/command operations go beyond simple read-only guidance and require local artifacts and hooks that are not provided. If the referenced scripts/hooks are absent, the instructions will fail or behave unpredictably.
Install Mechanism: concernNo install spec or code files are included, yet the document repeatedly references an installed plugin (and a GitHub repo). The skill therefore lacks the mechanism it says is necessary to implement its runtime behavior. This is a mismatch: either the skill should include an installer or explicitly state that it only augments an independently installed plugin.
Credentials: noteThe skill requests no environment variables or credentials (proportionate), and explicitly instructs blocking reads of .env, .ssh, .aws, etc. However, the instructions still require filesystem access (home-folder paths and plugin paths). That access is not declared in the metadata and could be surprising to users if the agent attempts to read or write those paths.
Persistence & Privilege: noteThe skill metadata does not request permanent presence (always:false). The SKILL.md states the external plugin installs persistent hooks that block commands; because those hooks are external to this bundle, the skill itself does not request additional privileges — but the narrative implies persistent system-level behavior if the external plugin is installed. This ambiguous split of responsibilities is worth clarifying.