Skillv0.1.0

ClawScan security

Zown Gemini Governor · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 12, 2026, 2:45 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions reference running local scripts and external CLIs (e.g., python3 scripts/cooldown.py, gemini CLI) and accessing workspace files (SOUL.md, IDENTITY.md) even though the package declares no binaries, install steps, or config paths — the pieces don't line up and could cause unexpected file I/O or arbitrary code execution if those files exist.
Guidance: This skill is instruction-only but instructs the agent to run local scripts and CLIs that are not declared or provided. Before installing or enabling it: 1) Ask the publisher for source code or a homepage and for the missing scripts (scripts/cooldown.py) and exact gemini CLI requirements. 2) Verify the gemini CLI and any scripts exist and inspect their code — running them could execute arbitrary actions. 3) Test the skill in a sandboxed/non-production agent with autonomous invocation disabled. 4) Confirm whether 'session_status' and the usage/footer checks are available in your agent runtime; otherwise the cooldown logic can't be trusted. 5) Consider the privacy impact: the skill asks to summarize identity/history files (SOUL.md/IDENTITY.md) — review those files for secrets before allowing access. If you cannot verify the missing components or source, treat this skill as untrusted and do not enable it for sensitive or autonomous workflows.

Review Dimensions

Purpose & Capability: concernThe skill claims to manage Gemini TPM and stabilise model usage, but the manifest declares no required binaries, no credentials, and no install artifacts. The SKILL.md explicitly tells the agent to use the 'gemini' CLI and a local Python script (scripts/cooldown.py), yet those are not declared or provided — that's inconsistent with the stated purpose and runtime needs.
Instruction Scope: concernRuntime instructions tell the agent to read/compact large files (SOUL.md, IDENTITY.md → MEMORY.md), run session_status checks, and execute a local cooldown script. These steps involve reading/writing workspace files and executing arbitrary local code that are outside the manifest's declared surface and could expose or modify persistent data.
Install Mechanism: noteThere is no install spec (instruction-only), which is lower-risk in itself; however, the instructions assume the presence of local scripts/binaries. If those scripts exist in the agent environment, following the instructions will execute code on disk — a runtime risk even without a formal installer.
Credentials: noteThe skill requests no environment variables or credentials in the manifest (proportional), but the SKILL.md expects access to external CLIs and session usage metrics without declaring how to authenticate or retrieve them. It also instructs summarizing identity/history files, which may cause disclosure of sensitive local data.
Persistence & Privilege: notealways:false and no autonomous-disabling flag are normal. The skill asks agents to update MEMORY.md after every step, creating persistent state in the workspace — this is within normal behavior but worth noting because it could cause accidental retention of sensitive context or enable repeated execution of local scripts.