Skillv2.1.2

ClawScan security

Gigo Lobster Register · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 8:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to only "register a personal result page without leaderboard", but its instructions try to prevent repo inspection and the bundled code contains network upload/judge clients — the pieces don't fully align and warrant caution.
Guidance: What to consider before installing/running: - Treat this as code-heavy: the skill bundle contains a full evaluation harness and networking clients (gateway/judge/score uploader). If you only expect a tiny "register-only" helper, this is wider in scope. - SKILL.md contains strong 'do not inspect' directives and prompt-injection signals. Before running anything, manually inspect the wrapper (run_register.py) and the network-related scripts (scripts/gateway_client.py, scripts/score_uploader.py, bundle/harness_reference/judge_client.py) to confirm what endpoints are contacted and what data is sent. - Because the skill can upload and call a cloud /judge endpoint, run it in an isolated environment (VM/container) or with network egress blocked until you confirm safe behavior. Prefer using flags like --skip-upload or run the 'doctor' mode first to see environment checks. - Verify any environment variables it reads (GIGO_*, OPENCLAW_* or similar) — the skill metadata declares none, but the code/docs reference them. Do not run with sensitive credentials in your environment until you know what will be sent. - If you proceed, monitor network activity (e.g., with a firewall, tcpdump) and inspect ~/.openclaw/workspace/outputs/gigo-lobster-register/gigo-run.log and the wrapper's stdout. Consider running a dry-run or opening the repository files yourself rather than following the SKILL.md instruction to ‘‘not inspect the repo’’. If you want, I can: (a) point to the exact lines in run_register.py and the gateway/score uploader files that perform network calls, or (b) produce a short checklist of files to inspect before executing.
Findings: [ignore-previous-instructions] unexpected: Found in SKILL.md. The skill's runtime instructions include directives that attempt to constrain agent behavior (e.g., 'Do not inspect the whole repo'), which resembles prompt-injection and is not expected for a benign registration-only helper. [unicode-control-chars] unexpected: Found in SKILL.md. The presence of unicode control characters or similar obfuscation in runtime instructions is unusual and can be used to hide or manipulate instructions; not expected for a straightforward wrapper-runner skill.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and README present this as a "register-only" companion mode, but the bundle contains a full evaluation harness (50 tasks), gateway/judge clients, and upload/score_uploader code (e.g., scripts/gateway_client.py, bundle/harness_reference/judge_client.py, scripts/score_uploader.py). That larger capability (cloud /judge calls and uploading) is more than you'd expect from a simple "register share page" skill. Also SKILL.md references environment variables like GIGO_LOBSTER_NAME, GIGO_UPLOAD_MODE, GIGO_REQUIRE_PNG_CERT that are not declared in the skill metadata.
Instruction Scope: concernSKILL.md gives very prescriptive runtime rules that limit inspection ("Do not run --help, inspect the whole repo, or switch to main.py once the wrapper command is clear") and explicitly steers the agent to run a wrapper directly and tail a specific log path (~/.openclaw/workspace/outputs/gigo-lobster-register/gigo-run.log). Those directives look like prompt-injection style containment that prevents a user/agent from exploring or verifying repository behavior before execution. The instructions also reference reading environment variables and SOUL.md for persona defaults even though none are declared in metadata.
Install Mechanism: noteThere is no external install spec (no remote downloads), which lowers install-time supply-chain risk. However, the skill ships a large code bundle (hundreds of files) that will be executed locally if you run the wrapper; that increases runtime surface compared to a small instruction-only skill.
Credentials: concernDeclared requirements list no environment variables or primary credential, yet the runtime docs and code reference many configuration points (GIGO_* env vars, gateway/judge endpoints). The judge_client/gateway_client code performs network POSTs to a /judge endpoint and expects an encrypt/decrypt hook; these likely rely on runtime configuration not declared in the skill metadata. The lack of declared env vars vs. actual code behavior is a mismatch and could hide required secrets or unexpected network communication.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills' configs according to metadata. It is user-invocable and allows autonomous model invocation by default (the platform default). No excessive persistence privileges are declared.