Skillv1.0.1

ClawScan security

Security Check · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 10:22 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's claimed purpose (pre-install security checks) matches most of its instructions, but there are a few inconsistencies and guardrail gaps you should understand before installing.
Guidance: What to check before installing: 1) Clarify credentials: ask the author whether SNYK and/or a GitHub token are required, and if so where/how tokens are expected to be provided. The skill references Snyk and authenticated advisory endpoints but declares no required env vars—this should be explicit. 2) Confirm auto-install behavior: the skill's docs say 'auto-proceed' for items scored Safe. If you want manual control, verify configuration to disable auto-install, or require explicit confirmations for all installs. 3) Rate limits & failover: understand how the skill handles API rate limits and outages (the SKILL.md mentions caching and rate limiting as best practices but does not declare defaults). Without auth tokens GitHub rate limits are low and could cause failures. 4) Inspect files for obfuscated content: the scanner flagged a base64 block (from an SVG badge). Review all repository files for any other embedded/encoded content (base64, long data blocks) to ensure nothing hidden is executing or being used to inject prompts. 5) Test in a safe environment: run the skill in an isolated VM or sandbox and observe logs/behavior before letting it auto-install packages on your primary system. 6) Ask for an implementation or code: this skill is instruction-only in the package you provided. If the platform will run agent code based on these instructions, request the actual implementation code (how it executes checks and installs) so you can audit exact commands the agent will run. If you want, I can draft specific questions to ask the skill author (about tokens, auto-proceed defaults, logging, and sandboxing) or produce a short checklist to validate the implementation before trusting automatic installs.
Findings: [base64-block] unexpected: The scanner flagged a base64-block pattern. The repository README contains a base64-encoded SVG badge (data:image/svg+xml;base64,...), which explains the finding and is likely benign. However base64 blocks can be used for obfuscated payloads or prompt-injection payloads; because the scanner reported this against SKILL.md content, double-check that no embedded/base64 content contains executable instructions or hidden payloads.

Review Dimensions

Purpose & Capability: noteThe name/description and SKILL.md consistently describe a pre-install security scanner for GitHub, PyPI, npm, and direct URLs; the listed integration endpoints (GitHub API, PyPI JSON, npm registry, OSV, GitHub Advisory) are appropriate and expected for that purpose. One minor mismatch: the skill references Snyk (which requires an API token for full API access) but the registry metadata declares no required credentials or primaryEnv—this is plausible (the skill can rely on OSV/GitHub/unauthed endpoints), but it is an unexplained omission that should be clarified.
Instruction Scope: noteSKILL.md stays within the stated scope: detect install commands (git clone / pip install / npm install / curl | bash), fetch metadata from registries and advisories, compute a risk score, and ask for confirmation. It does instruct auto-proceed for 'Safe' results (auto-install), which is coherent with the feature but increases operational risk because it implies the skill will execute install commands on the user's behalf. The instructions do not ask the agent to read unrelated system files or exfiltrate environment variables.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files to run on install, which is the lowest-risk install mechanism. No external archives, custom binaries, or obscure download URLs are present.
Credentials: concernThe skill references external services (Snyk, possibly GitHub Advisory API with higher rate limits) that commonly require API tokens, but the skill metadata declares no required environment variables or primary credential. This is a proportionality gap: if the implementation uses Snyk/GitHub authenticated endpoints it will require tokens, but those aren't declared. Also, auto-proceeding with installs means the skill may execute commands that could access local resources; users should confirm whether the skill will run commands only after local confirmation and whether it will store or require any tokens.
Persistence & Privilege: okThe skill does not request permanent inclusion (always: false), and does not declare changes to other skills or system-wide settings. Autonomous invocation is allowed (default) but that is expected for skills that monitor commands; combined with the auto-proceed behavior this increases the impact if misconfigured, but there is no explicit excessive privilege requested in the metadata.