Back to skill
Skillv0.1.0
ClawScan security
ASO Suite · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 5:21 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with its ASO CLI purpose; the only notable risk is the usual caution around installing an npm package from an external registry.
- Guidance
- This skill appears coherent for controlling the ASO Suite CLI, but before installing: 1) Inspect the 'asosuite' npm package page (maintainer, version history, download count, open issues). 2) Prefer installing in a controlled environment (non-root or a container) rather than -g if you want to limit system impact. 3) Review what 'asosuite login' stores and where (local config file, keychain, etc.). 4) If you need stronger assurance, review the package source code or use a vetted alternative. The skill is internally consistent but installing arbitrary npm CLIs carries the usual supply-chain risk.
Review Dimensions
- Purpose & Capability
- okThe skill claims to drive the ASO Suite CLI and its SKILL.md only instructs running the 'asosuite' binary and related commands; the declared npm package and required binary match the stated purpose and there are no unrelated environment variables or config paths requested.
- Instruction Scope
- okRuntime instructions are limited to installing the CLI, running its commands (search-apps, keywords, charts, etc.), and performing 'asosuite login'/'logout'. The SKILL.md does not instruct reading unrelated files, accessing other credentials, or exfiltrating data to unexpected endpoints. Note: 'login' implies storing credentials via the CLI itself, which is expected for a CLI that talks to a remote service.
- Install Mechanism
- noteThe install spec is an npm package (asosuite) producing a global 'asosuite' binary. This is proportionate to a CLI skill, but npm packages can run arbitrary install/postinstall scripts and execute code from the registry, so verify the package's provenance, maintainership, and popularity before installing globally.
- Credentials
- okNo environment variables or external credentials are declared or required by the skill metadata. The only credential interaction is the CLI's own 'login' flow, which is appropriate for a tool that accesses a remote ASO service.
- Persistence & Privilege
- okThe skill is not forced-always and does not request elevated platform privileges. Installing the npm package globally will create a system-wide binary (normal for CLIs) but the skill itself does not request persistent agent-level privileges or modify other skills' configs.