Skillv1.0.0

ClawScan security

Computer Task Execution · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 19, 2026, 3:01 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated goal (automating multi-step tasks), but they assume persistent pattern storage and the ability to drive/read local apps and browser state without declaring where or how that persistence and access occur — this mismatch raises scope and privacy concerns you should review before installing.
Guidance: This skill is coherent as a playbook for automating tasks, but it assumes access to local/browser sessions and persistent storage for per-site patterns without declaring where those files live or what they may contain. Before installing: (1) confirm how and where pattern memory will be stored and who can read it, (2) restrict or review any platform permissions that let the agent control the GUI/clipboard/screenshots, (3) avoid leaving sensitive accounts logged into browsers or apps you don't want automated, (4) prefer explicit user confirmation for high-risk actions (sending messages, deleting data), and (5) ask the developer to document exact runtime capabilities and storage behavior. If you cannot get those clarifications, treat the skill as higher risk and avoid enabling autonomous invocation or long-lived persistence.

Review Dimensions

Purpose & Capability: noteThe name/description describe executing real user tasks and the SKILL.md provides a coherent decision model for doing that. However, the instructions assume capabilities (local GUI automation, browser DOM inspection, screenshots, and persistent 'pattern memory' updates) that are not declared in the skill metadata (no config paths, no required binaries). That omission is plausible for an instruction-only skill, but it's a meaningful gap between claimed requirements and implied actions.
Instruction Scope: concernInstructions direct runtime behavior that touches sensitive surfaces: driving local apps, focusing windows, pasting via clipboard, reading DOM/browser state, taking screenshots/visual verification, and updating/reusing a persistent pattern memory. Those actions can access personal data (messages, documents, calendar items). The skill does not explicitly limit what is recorded in pattern memory or where it is stored, and it gives broad discretion ('choose the most reliable method'), which could lead to unexpected data reads or writes.
Install Mechanism: okThis is instruction-only and has no install spec or external downloads. That minimizes supply-chain risk because no code is pulled during install.
Credentials: noteThe skill requests no environment variables or credentials in metadata, which is proportionate. But it repeatedly assumes browser login state and access to local app accounts; it also expects to persist target-specific patterns. The absence of declared storage/config paths or explicit permission prompts is a gap worth clarifying.
Persistence & Privilege: concernSKILL.md mandates updating 'pattern memory' after runs (read-before-run is mandatory if a pattern exists). The skill package includes pattern templates, but runtime writes/reads to persistent storage are implied without any declared config path or explanation of storage location, retention, or sensitivity controls. Combined with autonomous invocation (allowed by default), this persistent behavior increases risk if not constrained.