Skillv0.1.0

ClawScan security

GH Triage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 2:25 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill roughly matches its stated purpose (GitHub triage + lightweight auto-fixes) but has several incoherences and risky behaviors (undeclared required credentials, executes repository code during installs, and commits/pushes changes) that warrant caution.
Guidance: This skill does what it says (triage and automatic small fixes) but be cautious: the code requires a GH_TOKEN (not declared in registry metadata) and will clone repos, run 'npm ci'/'npx' and other commands that can execute code from the target repository or its dependencies. Before installing, do the following: 1) only supply a least-privilege GitHub token (limit to specific repos and to the narrowest scopes needed; if you don't want pushes/PRs, use a read-only token); 2) run the skill in an isolated environment (container or sandbox) because it executes repo code; 3) inspect and verify the skill's code and the repositories you configure; 4) consider disabling or carefully reviewing the auto-fix behavior (commits/pushes) until you trust the environment and token handling; and 5) prefer storing secrets in your host secret store rather than plaintext env files. The metadata inconsistencies (undeclared env vars and use of config.example.json instead of configurable config.json) are additional warnings — treat this as a prototype that needs hardening rather than a drop-in safe tool.

Review Dimensions

Purpose & Capability: concernThe SKILL.md and code require a GH_TOKEN for repo access and auto-fixing, and auto_fix.js optionally requires GIT_AUTHOR_NAME / GIT_AUTHOR_EMAIL — but the registry metadata declares no required environment variables or primary credential. This mismatch is an incoherence: a GitHub token is necessary for the skill to function but is not declared in the metadata.
Instruction Scope: concernRuntime instructions (and code) clone configured repos, run 'npm ci', run lint/format/test scripts, and commit/push changes using the provided token. Running 'npm ci' and 'npx' may execute lifecycle scripts or fetch/run code from npm or the repo itself — meaning arbitrary repo-supplied code could run on the host. The skill also embeds the token in the clone URL and performs write operations (create branch, commit, push, open PR). These behaviors go beyond passive triage and carry execution and write risks.
Install Mechanism: okThere is no external download/install spec; the package includes normal Node.js files and a package.json with standard dependencies (@octokit/rest, node-cron, dotenv). No arbitrary remote archive downloads or URL shorteners are used.
Credentials: concernAsking for a GitHub token is proportionate to triage and push operations, but the token is not declared in metadata and the code expects additional env vars (GIT_AUTHOR_NAME / GIT_AUTHOR_EMAIL) for commits. The skill requires a token with sufficient repo permissions (likely write access) which is powerful; the metadata should declare this and users should be advised to use least-privilege tokens. The skill also places the token into HTTPS clone URLs which can expose it in logs or git metadata if not handled carefully.
Persistence & Privilege: noteThe skill does not request 'always: true' and does not modify other skills. It can run autonomously (default model invocation allowed), which combined with an over-privileged GH token increases blast radius — but autonomous invocation alone is expected for skills.