Skillv1.3.3

ClawScan security

tick-md · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 4:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation and runtime instructions match a git-backed task-coordination tool, but there are multiple metadata and packaging inconsistencies and a few operational steps that could modify user config or push data if allowed — the package looks legitimate but the mismatches warrant caution before installing or granting permissions.
Guidance: This skill appears to implement a legitimate git-backed multi-agent coordination system, but packaging and metadata are inconsistent and the tool can modify editor configuration and (with permission) push to remote git. Before installing or enabling it: - Verify the upstream packages (tick-md and tick-mcp-server) come from a trusted source (check the npm publisher, GitHub repo links) before running npm install -g. - Do NOT allow edits to your editor MCP config or run tick sync --push until you have inspected what those edits will contain. Back up any config files listed in the docs first. - If you want to test, do so in a throwaway repository (no sensitive data, no upstream remotes) so that any automated claims/edits remain local. - Ensure required system tools (git, jq, a shell, Node >=18) are present if you plan to run suggested scripts, and confirm those dependencies are declared by the publisher. - Ask the publisher (or registry) to fix the metadata mismatches: the registry summary should accurately reflect required binaries, config paths, and any network access. If the publisher cannot explain the mismatches, treat the package as higher risk. - If you enable MCP integration, restrict it to a workspace or environment with limited access and monitor git activity; only approve pushes when you review staged changes and commit messages.

Review Dimensions

Purpose & Capability: noteSKILL.md, INSTALL.md, README.md and mcp-reference all describe a CLI (tick, tick-mcp-server) and MCP integration — that is coherent with the described purpose. However the registry summary at the top of the bundle (the 'Requirements' section you provided) claims 'no required binaries / env / config paths', while skill.json, INSTALL.md, and CHANGELOG explicitly list required binaries (tick, tick-mcp, git), npm packages, Node runtime, and editor MCP config paths. This mismatch between registry metadata and the included files is an inconsistency that should be resolved before trusting the package metadata.
Instruction Scope: noteThe SKILL.md instructions stay within the expected scope for a Git-backed task coordination tool: creating/claiming tasks, status checks, and interacting with an MCP server. The docs explicitly require explicit user approval before editing editor MCP config files and before any remote push. Two things to note: (1) worker role includes a shell check-in script and examples that pipe JSON to grep/jq and call tick sync --pull, implying the environment must have shell utilities (jq, grep) — these utilities are not declared in the top-level 'Requirements' you provided; (2) some instructions are open-ended (e.g., 'do the actual work') which gives an agent discretion to modify project files; while expected for a worker role, it increases the need for clear user approval boundaries.
Install Mechanism: noteThis is instruction-only in the registry (no install spec executed by the platform), which is low-risk by itself. The included INSTALL.md instructs users to run 'npm install -g tick-md tick-mcp-server' and add MCP config entries; that is a standard npm install path but is not automatically performed by the platform. There are no opaque download URLs or archive extracts in the skill package. The mismatch between 'no install spec' in the top registry summary and the documentation that requires npm installs is an implementation/metadata inconsistency to be aware of.
Credentials: concernThe functional features legitimately require the tick CLI, an MCP server, git, and the ability to edit editor MCP config files (to expose tick_* MCP tools). Those are proportionate to a tool that integrates with editors and performs git-backed operations. However: (1) the registry metadata you supplied initially lists no required config paths/env, while the skill.json and docs do list editor config paths and network access; (2) the instructions and examples explicitly name user config files in home directories (~/.cursor/mcp_config.json, VS Code settings, etc.), which are sensitive locations — editing them would grant the assistant a persistent integration point; (3) the worker scripts depend on system utilities like jq which are not declared; (4) while the docs say never to run sync --push without explicit approval, the capability to push to remote git and to alter editor MCP config files is significant and must only be enabled with careful, explicit user consent. These facts make the environment/credential surface larger than the simple 'no env vars' claim at the top indicates.
Persistence & Privilege: notealways:false (not force-included) and autonomous invocation is allowed (the platform default). The skill guides users to add tick-mcp to editor MCP configuration so the assistant can call tick_* MCP tools programmatically; that is consistent with the skill's purpose but does grant a persistent integration point if the user edits their editor config. The package does not request 'always:true' or attempt to modify other skills. The key risk here is user consent: enabling MCP tools and allowing git pushes increases the agent's operational privileges — the skill's docs explicitly gate pushes and config edits by requiring explicit approval, which mitigates the concern if followed.