Skillv1.0.0

ClawScan security

Subagent Isolation Guard · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 12:42 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions are coherent with a subagent-isolation goal, but they ask you to implement a semantic-routing bypass and rely on a simple session marker (":subagent:") and code changes — measures that are operationally risky and could be abused if not carefully designed and controlled.
Guidance: This instruction-only skill is coherent for hardening subagent isolation, but it asks you to add a routing bypass and require session IDs to contain ':subagent:'. Before implementing: (1) perform a code review of semantic-webhook-server.py changes and restrict who can edit it and AGENTS.md; (2) avoid relying on a plain string marker — require authenticated, signed, or unforgeable session tokens (not just a prefix) so attackers cannot spoof ':subagent:'; (3) add logging, monitoring, and audits for all bypassed requests; (4) test thoroughly in a staging environment to ensure the bypass doesn't let untrusted inputs evade policy or model-safety checks; (5) consider safer alternatives (e.g., mutual TLS, signed JWT session claims, or an allowlist tied to agent identities) if you need robust isolation. If you cannot enforce these controls, treat deploying this bypass as high risk.

Review Dimensions

Purpose & Capability: okThe skill's name and description match the content of SKILL.md: it proposes workspace isolation and a routing-bypass for subagents. It does not request unrelated credentials, binaries, or installs, so required capabilities align with the stated purpose.
Instruction Scope: concernSKILL.md instructs modifying runtime logic (semantic-webhook-server.py) to detect a session_key marker ':subagent:' and 'bypass' semantic routing by returning 'continue' and not injecting declarations or model suggestions. This is within the stated goal but is operationally dangerous: it creates an explicit bypass in routing logic and relies on a simple string marker that can be spoofed unless additional safeguards (authentication, signature, or unforgeable session tokens) are enforced. The instructions are also vague about implementation details and access controls.
Install Mechanism: okInstruction-only skill with no install spec or code to download. No files are written by the skill itself, minimizing installer-related risk.
Credentials: okNo environment variables, credentials, or config paths are requested. The absence of extra secrets is proportionate to the stated purpose.
Persistence & Privilege: noteThe skill is not always-enabled and is user-invocable; however, its runtime guidance expects operators to modify server code and configuration (AGENTS.md and semantic-webhook-server.py). Those actions require write privileges and careful change control — the skill implicitly assumes the ability to edit server-side routing code and agent configuration, which elevates operational privilege requirements.