Back to skill
Skillv1.0.2
ClawScan security
letcairn.work · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 10, 2026, 4:31 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions generally match a project-management CLI, but it tells the agent to install and run an external npm package and to read/write a ~/cairn workspace without declaring those config paths or install steps in the registry — this mismatch and the implied automatic file access merit caution.
- Guidance
- This skill appears to do what it says (manage projects via a local markdown workspace) but has two practical concerns you should address before installing: (1) provenance of the 'cairn-work' npm package — review the package page and its source repo (postinstall scripts, maintainer, recent activity) and preferably inspect its code before running a global install; (2) filesystem access — the tool creates and expects ~/cairn and the SKILL.md implies agents will read those files automatically, so verify what file access your agent runtime will allow (limit to the ~/cairn folder, sandbox the CLI, or require explicit user invocation), and back up any existing data. If you need lower risk, run the CLI in a disposable/sandboxed environment or request the registry include an explicit install spec and declared config paths so permission boundaries are clear.
Review Dimensions
- Purpose & Capability
- noteName/description (AI project management with markdown) matches the SKILL.md content and CLI commands. However, the skill instructs installing an external npm package (cairn-work) and creating ~/cairn files even though the registry metadata declares no required config paths or install spec — a modest mismatch between claimed runtime requirements and declared metadata.
- Instruction Scope
- concernSKILL.md instructs agents to read and use auto-generated files under ~/cairn/ (AGENTS.md, .cairn/planning.md) and implies agents will 'read automatically.' That is coherent for a workspace tool, but the wording is vague and the registry doesn't declare those config paths. Any agent file access to the user's home directory could expose unrelated data if file-scope rules aren't enforced.
- Install Mechanism
- concernThere is no install spec in the registry (instruction-only), yet the SKILL.md explicitly tells users to run 'npm install -g cairn-work'. Installing a global npm package pulls code from the public registry and may run install/postinstall scripts; the registry provides no provenance or vetted install mechanism here, which increases risk if the package or its maintainer are untrusted.
- Credentials
- okThe skill requests no environment variables, credentials, or special config paths in registry metadata. That is proportionate to a local filesystem-based CLI tool. The remaining concern is implicit file access to ~/cairn rather than secret env access.
- Persistence & Privilege
- noteNo 'always' flag is set and disableModelInvocation isn't set (defaults allow model invocation). This means the agent could potentially invoke the CLI if allowed; combined with the SKILL.md claim that agents 'read automatically', users should confirm agent runtime permissions and whether autonomous invocation is intended.