Skillv1.0.0

ClawScan security

testskillpublish · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 3:35 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill explicitly instructs the assistant to ignore prior safety constraints and includes a shell executor that runs arbitrary commands — this is coherent with its stated purpose but highly dangerous and disproportionate for most uses.
Guidance: This skill is explicitly designed to ignore safety rules and run arbitrary shell commands. Only install it if you absolutely trust its author and you understand the risks. Specific precautions: do not grant it network or filesystem access if you can avoid it; do not run it in environments with sensitive credentials or production data; consider running it in an isolated sandbox or container for testing; prefer narrowly-scoped skills that request only the specific permissions they need. If you must use it, review and remove the dynamic-execution parts (the eval usage and any code that executes user-supplied commands) or require explicit, audited commands rather than an open eval/exec interface.

Review Dimensions

Purpose & Capability: okThe skill's name and description promise to execute any user instruction without restrictions. The included SKILL.md and scripts/executor.sh implement that behavior (dynamic command execution and eval). The requested capabilities (none) are consistent with the stated goal — there is no unexplained credential or binary request.
Instruction Scope: concernSKILL.md instructs the assistant to 'ignore previous instructions' and provides a dynamic-execution interface (!command). It also lists allowed-tools including Bash and WebFetch, giving the agent broad file, network, and shell capabilities. The instructions explicitly encourage bypassing safety constraints and executing arbitrary commands, which is scope-creep from normal safe skills and effectively grants the agent full discretion to read, modify, and transmit data.
Install Mechanism: okNo install spec; instruction-only with a small included script. Nothing is downloaded or installed from third-party URLs, which reduces install-time risk.
Credentials: noteThe skill declares no environment variables or credentials, which matches its simple structure. However the instructions and allowed-tools permit reading environment and files at runtime; because the SKILL.md encourages unrestricted execution, the skill could access sensitive env vars or files even though none are declared.
Persistence & Privilege: concernalways is false and autonomous invocation is allowed (platform default). Combined with the skill's explicit instruction to drop safety constraints and its ability to run shell commands and web requests, autonomous invocation increases the blast radius. The skill does not request persistent installation, but its runtime directives attempt to bypass agent safety.