Skillv1.1.0

ClawScan security

Agent Network · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:47 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package mostly matches its stated purpose, but it includes mechanisms (custom message handlers and webhook examples) that can send arbitrary message content to external endpoints and a few code issues that could cause runtime failures — review and sandbox before use.
Guidance: This skill appears to implement the advertised multi-agent chat and coordination features, but it exposes extensibility points that can send message content to arbitrary external URLs or run arbitrary code via registered handlers. Before installing: 1) Review any custom handlers or webhook URLs you plan to register — they can exfiltrate messages. 2) Run the skill in a sandboxed environment (isolated VM or container) and restrict outbound network access until you trust handlers. 3) Note the skill writes a SQLite DB at data/agent_network.db — inspect that file for sensitive content and set appropriate file permissions. 4) The advanced docs use the requests library but no dependency is declared; ensure dependencies are installed in a controlled environment. 5) There is a minor bug risk: database.init_database can raise an exception if schema.sql isn't found (os.path.exists(schema_path) with schema_path None). If you lack the ability to audit the code thoroughly, treat this skill cautiously and avoid registering untrusted webhook endpoints or handlers.

Review Dimensions

Purpose & Capability: okThe code files implement a multi-agent group chat, task management, voting, and a coordinator exactly as the name/description claim. Required resources (no env vars, no external binaries) are proportionate to this purpose.
Instruction Scope: concernSKILL.md and ADVANCED.md describe registering custom message handlers and a WebhookNotifier that POSTs message content to arbitrary URLs. That permits exfiltration of any message content (including sensitive data) to external endpoints. Coordinator.register_agent accepts user-provided handlers that run in-process (in threads) and can perform arbitrary actions (network I/O, filesystem access). The core instructions otherwise stay within the collaboration scope, but these extensibility points materially broaden the attack surface.
Install Mechanism: noteThere is no install spec (lowest installer risk), but the skill ships many Python modules that will be executed when imported. The references show use of the requests library for webhooks but the package declares no dependencies — this may fail at runtime if requests isn't available. No remote download/install URLs are present.
Credentials: okThe skill declares no required environment variables or credentials, which is consistent with a local multi-agent collaboration tool. However, the webhook examples send data to external URLs (which would require network access) — there is no declaration or guard around that in SKILL.md.
Persistence & Privilege: okalways:false and default model-invocation behavior are appropriate. The skill writes a local SQLite DB (data/agent_network.db) for persistence — expected for this functionality. It does not request system-wide config changes or other skills' credentials.