Skillv1.0.1

ClawScan security

uk8s · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 14, 2026, 7:27 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requested actions, tools, and inputs match its stated purpose (creating a UK8S cluster via the ucloud CLI); it is an instruction-only skill with no hidden installs or unrelated credential requests, but it contains a couple of minor operational risks (downloading a binary without checksum verification and printing/storing a plaintext cluster password) that users should be aware of.
Guidance: This skill is coherent for creating a UK8S cluster, but before running it: 1) Inspect and verify the ucloud-cli binary you download (compare release checksums or download from an official source you trust) because the SKILL.md does not include integrity checks. 2) Be cautious when providing your ucloud public/private keys — only enter them into the official ucloud CLI and avoid pasting creds into unknown UIs. 3) The skill generates and prints a plaintext login password and instructs you to record it; consider storing it in a secure password manager and avoid leaving it in logs or shared systems. 4) Review the JSON payload that will be written to /tmp/create_uk8s.json before executing the create call to ensure no unexpected values. If you need higher assurance, run the steps manually rather than allowing autonomous execution.

Review Dimensions

Purpose & Capability: okName/description (create a UK8S cluster) align with the runtime steps: installing/using ucloud-cli, calling UK8S-related ucloud API actions, selecting VPC/Subnet, choosing K8s version and image, assembling CreateUK8SClusterV2 payload and invoking ucloud api. Required inputs (ucloud keys, region, zone, project id) are appropriate and expected for this task.
Instruction Scope: noteSKILL.md stays largely within the scope of cluster creation. It asks to read ucloud config and API responses, interactively prompt the user when needed, write a temp JSON to /tmp, and report results. Two operational concerns: (1) it instructs to record and ultimately display the plaintext cluster login password (this is necessary for login but increases exposure risk), and (2) it does not verify downloaded ucloud-cli with a checksum or signature. Neither is covert, but both are worth user attention.
Install Mechanism: noteNo packaged install spec in registry — the SKILL.md contains a curl+unzip installation from GitHub releases (https://github.com/ucloud/ucloud-cli/releases/download/v0.3.0/...). Using a GitHub release URL is reasonable, but the instructions do not verify checksums/signatures and write the binary to $HOME/.local/bin, which is typical but should be reviewed by the user.
Credentials: okThe skill requires ucloud credentials and configuration (public/private keys, region, zone, project_id) which are directly needed to call ucloud APIs. It does not request unrelated environment variables, secrets, or config paths.
Persistence & Privilege: okalways is false, no install-time persistent agent changes are requested, and the skill does not attempt to modify other skills or system-wide agent settings. It only writes a temporary JSON and may add $HOME/.local/bin to PATH in the session when installing the CLI.