Skillv1.0.0

ClawScan security

Claude Code Invoke · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 1:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (run claude -p against a Git repo) matches its instructions, but the runtime guidance encourages bypassing permission prompts and running the Claude CLI against arbitrary repositories (potentially exfiltrating code/data), and it uses Windows-specific commands despite no OS restriction — these inconsistencies and the permission-bypass flag are concerning.
Guidance: This skill does what it claims (runs 'claude -p' inside a Git repo) but has two important risks: 1) it recommends --dangerously-skip-permissions which suppresses interactive consent and can cause repository files (including secrets) to be sent to Claude's service without confirmation; 2) the runtime examples use Windows PowerShell while the skill declares no OS restriction. Before installing or using: only run it on non-sensitive repositories, avoid the --dangerously-skip-permissions flag unless you understand the consequences, verify and control what the installed 'claude' CLI is configured to send, and consider requiring explicit user confirmation (or restricting allowed target paths) to prevent accidental data exposure. If you need a lower-risk workflow, test in an isolated repo or sandbox first.

Review Dimensions

Purpose & Capability: okThe name/description say it will invoke 'claude -p' inside a Git repository and the skill only requires the 'claude' binary; that is coherent. Requiring a Git repo is consistent with Claude Code's repo-aware operation.
Instruction Scope: concernThe SKILL.md explicitly instructs running shell commands that CD into arbitrary Git repositories and invoke 'claude -p' with --dangerously-skip-permissions. That flag suppresses interactive permission checks and increases risk of uploading repository contents or sensitive files to an external service. The instructions grant broad discretion to run commands in user-specified filesystem locations (examples include absolute user paths), which could expose confidential data. The doc also focuses on Windows PowerShell invocations but the skill has no OS restriction.
Install Mechanism: okThere is no install spec and no code files; this is instruction-only, so nothing is written to disk by the skill itself. This is lower risk from an install-mechanism perspective.
Credentials: noteThe skill does not request environment variables or credentials (proportional). However, it implicitly depends on the user's installed Claude CLI and its configuration (which typically contains credentials). Running the CLI may transmit repository contents to the Claude service — the skill does not acknowledge or limit that data flow.
Persistence & Privilege: okalways is false and the skill is user-invocable only; it does not request persistent system privileges or modify other skills. Autonomous invocation is allowed by default but is not combined here with other high privileges.