Skillv1.1.2

ClawScan security

smart-security · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 2:37 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated anti-injection purpose is plausible, but there are multiple mismatches and high-privilege demands (priority pre-ingestion, access to identity/memory files, webhook/Telegram behavior) and some metadata/registry inconsistencies that merit manual review before installing.
Guidance: Before installing: (1) Verify provenance — confirm the repository and author identity (SKILL.md lists a GitHub repo, but the registry metadata shows 'source unknown' / no homepage). (2) Review the exact contents of the files the skill will read (/workspace/MEMORY.md, /workspace/IDENTITY.md, /workspace/SOUL.md, etc.) — these may contain system prompts or secrets. Limit its read access to only the minimal files needed. (3) Do not grant 'highest' priority or pre-ingestion execution until you have audited the SKILL.md behavior and run the skill in a sandbox or test agent; the skill can block/alter all agent inputs. (4) If enabling webhook or Telegram alerts, ensure the webhook URL and alert channel are trusted and that no sensitive payloads will be sent; prefer local-only operation for initial testing. (5) Because this is instruction-only (no code), the runtime semantics depend on the platform: confirm how your agent enforces 'pre-ingestion' and file access and whether the skill can truly intercept inputs. (6) If you proceed, monitor AUDIT.md and INCIDENTS.md closely and consider limiting the skill's privileges (read-only, restricted paths) until you gain confidence. If you cannot verify the repo/author, treat the skill as untrusted.
Findings: [prompt-injection-pattern:ignore-previous-instructions] expected: The SKILL.md contains the string 'ignore previous instructions' inside its BLACKLIST_PATTERNS and test instructions. A scanner flagged it; this is plausibly an intended detection pattern and test case for the anti-injection skill, but presence of such patterns in a skill that can modify context is noteworthy and should be manually inspected to ensure they are only used as detection signatures and not executed as instructions.

Review Dimensions

Purpose & Capability: noteThe claimed purpose (pre-ingestion prompt-injection defense, memory integrity, tool wrapper) aligns with reading agent memory and writing audit/incident logs. However the registry metadata is inconsistent (top-level metadata shows no homepage/source while SKILL.md lists a GitHub repo), and the skill requests access to files (IDENTITY.md, SOUL.md, AGENTS.md) that may contain highly sensitive agent configuration/system prompts — this is plausible for memory integrity checks but worth extra scrutiny.
Instruction Scope: concernSKILL.md explicitly instructs the skill to run BEFORE any other logic, to intercept user_input, tool_output and memory_load, to modify context and to block execution. It also declares reads of workspace memory and identity files and writes to audit/incident logs. Those actions are coherent for a pre-ingestion defender but are high-impact: they grant the skill power to block/alter agent behavior and to access potentially sensitive system prompts and identity information. The SKILL.md also references environment variables and optional webhook behavior that are not listed as required in registry metadata (mismatch).
Install Mechanism: okThis is instruction-only (no install spec, no code files), so nothing arbitrary will be downloaded or written by an installer. The CONFIGURATION.md suggests 'clawhub install' or git clone, but there is no automated install script included — low install risk. Because there is no code to statically analyze, runtime behavior comes entirely from the SKILL.md instructions and the platform's skill runtime.
Credentials: concernRegistry lists no required env vars, but SKILL.md / CONFIGURATION.md reference several environment variables (SECURITY_WEBHOOK_URL, SEMANTIC_THRESHOLD, ALERT_THRESHOLD, SECURITY_AUDIT_LOG, SECURITY_INCIDENTS_LOG). The skill also claims alerts via the agent's existing Telegram channel (which implies use of agent-owned credentials/channels). The skill's optional webhook and Telegram alerting increase the attack surface and should be explicitly declared and limited. Requesting read access to identity/system prompt files is high sensitivity and must be justified to the operator.
Persistence & Privilege: concernThe skill requests 'highest' execution priority and pre-ingestion placement (ability to intercept and block inputs and modify context). While not set always:true, these privileges are powerful: if enabled with highest priority the skill can influence every agent run. The operator must explicitly grant that; combined with access to identity/memory files and outbound alerting channels, this is a significant authority and requires careful trust of the skill's provenance.