Skillv1.0.12

ClawScan security

Gws Modelarmor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousMar 31, 2026, 6:34 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill is instruction-only and consistent with a CLI wrapper for a 'gws' tool, but it instructs the agent to read/create a shared auth file outside its directory and relies on an undocumented external binary of unknown provenance — this mismatch and lack of transparency are concerning.
Guidance: This skill is an instruction-only wrapper around a 'gws' CLI. Before installing, verify the source and trustworthiness of the 'gws' binary (who provides it, official repo, checksums). Open and inspect the referenced ../gws-shared/SKILL.md to see how authentication and global flags are handled — it may contain credentials or instructions that create/configure auth artifacts. Also inspect the helper SKILL.md files mentioned (sanitize-prompt, sanitize-response, create-template) to ensure they don't introduce unexpected behavior. If you cannot locate the origin/homepage of the 'gws' tool or the shared SKILL.md, treat this skill as untrusted because it can cause the agent to read or create configuration files and call an external CLI with network access.

Purpose & Capability: okThe skill's name/description (Model Armor content filtering) align with its instructions to call 'gws modelarmor' and inspect schema; requiring a 'gws' binary is reasonable for a CLI wrapper.
Instruction Scope: concernSKILL.md explicitly instructs the agent to read '../gws-shared/SKILL.md' for auth/global flags and to run 'gws generate-skills' if missing. That directs agent access to a file outside the skill's own directory and to create files, which expands scope and requires trust in what that shared file contains.
Install Mechanism: okNo install spec or code is present (instruction-only), so nothing is written by the skill itself. The runtime depends solely on an existing 'gws' binary.
Credentials: concernThe skill declares no required env vars or credentials, yet points to a shared SKILL.md for auth and global flags. This non-disclosure of how authentication is handled (env, config files, or other) reduces transparency and is disproportionate.
Persistence & Privilege: notealways:false and no code means no forced persistence, but the instructions encourage creating/reading a shared config file via 'gws generate-skills', which could modify agent files or create persistent auth artifacts — acceptable if trusted, but worth reviewing.