Skillv1.1.0

ClawScan security

cross-ref · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 21, 2026, 4:48 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose (find and optionally comment/link/close GitHub PRs/issues) matches the code, but it omits and relies on sensitive capabilities (GitHub credentials, sending PR/issue text to external subagents) and includes explicit anti-abuse posting strategies — behaviour that needs user review before installing.
Guidance: What you should consider before installing: - The skill will call the GitHub API via the `gh` CLI and therefore requires an authenticated `gh` client (repo scope). That credential is not listed in the registry metadata — be sure you understand and consent to granting a token with write rights if you plan to use `execute` mode. - The analysis step sends PR/issue text (titles/bodies, truncated to ~500 chars) and compact indexes to Sonnet subagents. Confirm where Sonnet runs (your organization / a private model / a third-party service) and whether sending repository content there is acceptable for your privacy/compliance needs. - The posting script contains deliberate anti-abuse patterns (jitter, breathing pauses, backoff) designed to avoid GitHub secondary throttles. While intended to avoid accidental blocking, this is effectively an attempt to make automated posting look organic; verify this aligns with your organization’s policy and GitHub’s terms of service before enabling automated posts at scale. - Default mode is a dry-run (`plan`) and no comments are posted until you explicitly choose `execute`. Always run small tests (100 PRs/issues or less) and inspect approved-comments.json before posting anything. - Practical checklist before running `execute`: - Use a least-privilege `gh` token (only grant what's necessary) or run tests on a repo you control. - Confirm Sonnet/subagent execution environment and data-retention policy. - Review and, if needed, modify the comment templates and daily limits to match repo rules/community norms. - If the author updates the registry metadata to explicitly declare required credentials (gh token) and model usage (Sonnet) and documents where subagents run (private vs external), this reduces the transparency concerns and would move the assessment toward benign.

Review Dimensions

Purpose & Capability: noteFunctionality (fetching PRs/issues, analyzing them with LLM subagents, posting comments/labels/close) is coherent with the described goal. However the skill relies on external capabilities that are not declared in the registry metadata: it requires an authenticated `gh` CLI (repo-scoped token) and access to Sonnet subagents/models. Those are reasonable for this purpose but should be explicitly declared.
Instruction Scope: concernRuntime instructions tell the agent to fetch full PR/issue metadata (bodies truncated to 500 chars) and include those contents plus complete indexes in prompts sent to parallel Sonnet subagents. That means repository content (including potentially sensitive code snippets, error messages, or comments) will be transmitted to LLM subagents. The SKILL.md also instructs including the full text of references/principles.md verbatim in every subagent prompt. Additionally, the skill contains a posting workflow that intentionally avoids triggering GitHub abuse detection (jitter, breathing pauses, backoff) — i.e., explicit strategies to evade platform defenses. These are within the skill's stated aim but raise privacy and policy concerns and should be reviewed by the user.
Install Mechanism: okNo external install steps in the skill bundle (instruction-only with local scripts). All code is provided in the repo and there are no downloads from unknown URLs or extract operations. This minimizes supply-chain risk from the installer itself.
Credentials: concernRegistry metadata lists no required env vars or primary credential, but the README and scripts require an authenticated `gh` CLI with repo scope and access to the Sonnet model (for subagents). The skill will perform write operations (comments, labels, closes) when run in `execute` mode, which requires a token with substantial privileges. The lack of declared credential requirements is a transparency gap and increases risk if users grant credentials without realizing scope or consequences.
Persistence & Privilege: noteThe skill does not set always:true and defaults to `plan` (dry-run) mode, requiring explicit user confirmation to perform actions. It writes workspace progress files (approved-comments.json, comment-progress.json) locally and will resume posting where it left off. Those are normal for this functionality, but persistence combined with write-capable credentials means the skill could perform repeated posting/closing across runs if executed with a valid token.