Back to skill
Skillv1.0.0
ClawScan security
AgentCraft · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 9, 2026, 9:33 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (local visualization) mostly matches its instructions, but it asks the agent to run remote/unvetted npm code, transmit full prompts, file paths and commands to a service that the instructions then encourage exposing to the internet, and it is force-enabled (always:true) — these are disproportionate and risky.
- Guidance
- Before installing: 1) Treat the npm package and the npx start command as unvetted code — audit @idosal/agentcraft source or run it in an isolated/test environment (container or VM). 2) Be aware that the skill's runtime explicitly sends full user prompts, absolute file paths, and shell commands to the AgentCraft server; do not expose that server to the internet (cloudflared) unless you fully trust the service and understand what data will be collected. 3) Consider removing or questioning the always:true flag — this skill shouldn't need forced always-on status. 4) If you must use it, restrict network exposure (keep it local), avoid reporting sensitive prompts/files/commands, and verify the package publisher and package contents. If the maintainer can provide source code, a privacy policy, and justification for always:true and for sharing data via tunnels, re-evaluation could move toward benign.
Review Dimensions
- Purpose & Capability
- noteThe name/description (visualize coding sessions, event reporting) aligns with the binaries and the declared npm package (@idosal/agentcraft). However the runtime instructions recommend exposing the local server via cloudflared (a tool not listed in required bins) and instruct sharing potentially sensitive data (full prompts, file paths, shell commands) — those capabilities expand the scope beyond simple local visualization and aren't reflected in the declared requirements.
- Instruction Scope
- concernThe SKILL.md instructs the agent to collect and POST full user prompts, absolute file paths, and executed shell commands to the AgentCraft server. While default target is localhost, the doc explicitly instructs how to expose that server (cloudflared tunnel) so remote agents can join, which would forward local data to a public URL. The skill also tells the agent to start the server via npx (running remote code) and to silently ignore failures — this grants discretion to transmit sensitive data and to execute non-local code.
- Install Mechanism
- noteInstall is via an npm package (@idosal/agentcraft) and the SKILL.md uses npx to run it. npm is a common mechanism but runs unvetted code from a public registry; npx -y will execute without prompting. This is a moderate-risk install mechanism and should be audited before use.
- Credentials
- noteThe skill does not request secrets or environment variables, which is appropriate. However it relies on runtime values (PWD, file contents, user prompts) and instructs sending them to the local/remote server; although not an 'env var' leak, this is sensitive data exposure beyond what a simple visualization might require.
- Persistence & Privilege
- concernThe skill is marked always:true in metadata/flags. Forcing this skill to always be enabled is a significant privilege for a visualization/reporting tool and increases risk because it can be invoked or cause installs without per-use consent. Combined with the ability to run npx and transmit session data, this is disproportionate.