Back to skill
Skillv0.1.0
ClawScan security
Learned from AI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 12, 2026, 9:09 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's described purpose (turn AI chats into durable notes) matches most of its instructions, but the runtime instructions demand filesystem writes and a specific subagent/model without declaring those as required resources, which is an incoherent and potentially risky mismatch.
- Guidance
- This skill appears to do what it claims (turn chats into structured notes) but its runtime instructions require reading and writing a notes/ folder and spawning a specific subagent/model — none of which are declared in the manifest. Before installing, confirm: (1) where the notes/ folder lives and whether you want an automated skill to create or modify files there; (2) how the platform authorizes subagents and models (does this skill require extra API access or keys?), and whether the forced model can be changed; (3) whether 'cross-check' behavior will cause web requests that might leak sensitive content. If you proceed, consider editing the skill to (a) declare required config paths and any needed credentials, (b) remove hard-coded model requirements or document authorization, and (c) make persistent writes explicitly opt-in rather than the default.
Review Dimensions
- Purpose & Capability
- noteThe name and description (produce structured learning notes) align with the SKILL.md workflow (inspect source, produce main note + cheat sheet). However the instructions require searching and writing to a notes/ folder and mandate spawning a specific subagent model (openai-codex/gpt-5.4). The skill metadata declares no required config paths or credentials, so the manifest does not document the file-system and model-access behavior the skill actually needs.
- Instruction Scope
- concernThe SKILL.md explicitly directs the agent to read from and write to notes/ (search existing notes, create notes/<subject>.md, notes/<subject>-cheatsheet.md). It also mandates spawning a subagent with a specific model and 'thinking' setting. These are concrete actions beyond a passive transformation: they imply filesystem access and autonomous subagent/model invocation. The instructions also say 'cross-check' facts (which may cause uncontrolled external web lookups) but do not constrain where or how verification should occur. The skill therefore instructs behavior (file I/O, network/model use) not reflected in the declared requirements.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. This is the lowest install risk: nothing is downloaded or written by an installer.
- Credentials
- concernThe skill requests no environment variables or credentials in the manifest, yet it requires spawning a specific subagent model (openai-codex/gpt-5.4). Model invocation typically requires platform-managed credentials or API access; the skill does not declare any needed credentials or explain how model access is authorized. Likewise, the skill's persistent read/write to notes/ is a form of config/path requirement that is not declared. The absence of declared env/config needs is inconsistent with the instructions.
- Persistence & Privilege
- notealways is false (good). However the SKILL.md forces persistent writes to notes/ by default ('Always save outputs in notes/ unless the user explicitly asks otherwise') and requires pre-searching that folder to avoid overwrites. That grants the skill the ability to create persistent files unless the user intervenes; this persistent-write behavior is not documented in the manifest's required config paths.