Skillv2.0.0

ClawScan security

ClawScan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 11, 2026, 8:50 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions match a legitimate security scanner, but there are several red flags (prompt‑injection content in SKILL.md, third‑party repository/author not clearly verified, and the tool persists data under ~/.skillguard and may fetch/update vulnerability data) that warrant manual review before running.
Guidance: What to check before running/installing: - Review the code yourself (open scripts/skillguard.py). Search for any network calls, subprocess.run/os.system usage, code that writes or executes downloaded content, or auto-update routines. Pay special attention to any code that runs shell commands or executes dynamically constructed code (eval/exec/compile). - Investigate the GitHub repository and author: confirm the repo exists, check commit history, issues, stars, and whether the author/organization is trustworthy. If the package points to a repo but the package already contains the script, prefer using the included files rather than re-cloning automatically. - Because SKILL.md contains unicode control characters (prompt-injection markers), view the raw SKILL.md in a safe viewer (or cat -v) and remove/clean those characters before feeding the file to any automated LLM-based evaluator. - Run the scanner in a sandboxed environment or non-privileged user account first (container/VM) to observe network activity and file writes. Monitor outbound network connections to ensure the tool only contacts expected servers. - Inspect what ~/.skillguard will contain (trusted.json, vulns.json, cache). Decide whether you are comfortable with the tool persisting a vulnerability DB and a trust list on disk and whether it will auto-update that DB from network sources. - Do not run it as root. If you want higher assurance, ask the author for a signed release or a reproducible build, and consider static code analysis or running the script through a vetted linter/security tool. If you are not comfortable performing these checks, treat the package as untrusted and avoid executing its scripts on your machine.
Findings: [unicode-control-chars] unexpected: Prompt-injection patterns (unicode control characters) were found in SKILL.md. A scanner skill does not need to include such characters; these are commonly used to manipulate LLMs or evade simple text-parsing. This should be inspected and removed/justified before trusting the package.

Review Dimensions

Purpose & Capability: okThe name/description match the provided code and SKILL.md: this is a local security scanner that analyzes skill code and dependencies. It does not request unrelated credentials or unusual binaries in the manifest.
Instruction Scope: noteRuntime instructions stay within the scanner's purpose (scan a skill, scan a folder, audit installed skills). However SKILL.md contains detected prompt‑injection markers (unicode control characters) which could be an attempt to manipulate automated evaluation or LLMs; it also instructs cloning and running a third‑party GitHub repo—so exercise caution before executing.
Install Mechanism: noteThere is no formal install spec in the package; SKILL.md recommends cloning a GitHub repo and making scripts executable. Using GitHub is common, but because the source/owner is not verified here, pulling and executing code from that repo is a risk. The package already includes scripts/skillguard.py (so a separate download isn't strictly necessary).
Credentials: okThe skill declares no required environment variables or credentials. The scanner looks for patterns that reference secrets (e.g., ~/.ssh, OPENAI_API_KEY) but it does not itself request or require those credentials in the manifest.
Persistence & Privilege: noteThe scanner is designed to create a user config directory (~/.skillguard) to store config, trust list, vulnerability DB, and cache. This is plausible for a scanner but it is persistent and may fetch/overwrite data (vuln DB). The skill is not force-included (always:false) and does not request elevated privileges in the manifest.