Back to skill
Skillv1.0.0
ClawScan security
Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 15, 2026, 9:36 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's content generally matches a local, shell-based workflow runner, but there are notable inconsistencies around secret access and declared requirements (e.g., macOS keychain usage and notification tokens are used but not declared), so review before installing.
- Guidance
- This skill describes a local, shell-based workflow system and will (by design) read secrets and call external APIs. Before installing: 1) Verify how you will supply secrets — the docs use macOS keychain (`security`) and also expect env vars like PUSHOVER_TOKEN; ensure those are intentional and available. 2) Inspect any workflow folders (workflows/flows/*) and each run.sh before running — run.sh executes curl and other commands and may call external endpoints. 3) If you are on Linux, check how secrets should be stored (the docs assume macOS keychain). 4) Be cautious about enabling incoming webhooks: the webhook example writes incoming payloads into the workspace and executes run.sh in the background. 5) If you need least privilege, limit network access and review/approve any external service credentials used by workflows. The skill appears to implement what it claims, but the omissions around declared binaries and env vars are reasons to inspect and harden before use.
Review Dimensions
- Purpose & Capability
- noteThe name/description (build automated pipelines) matches the instructions and many example flow scripts. The required binaries (jq, yq, curl, uuidgen, flock) are reasonable for this purpose. However, the docs repeatedly reference the macOS `security` keychain tool, fswatch/inotifywait, and runtime env vars like PUSHOVER_TOKEN/PUSHOVER_USER which are not listed in the declared required binaries or required env vars — this mismatch is unexpected.
- Instruction Scope
- concernSKILL.md and the component files instruct the agent to read secrets (via macOS keychain 'security') and to make network calls to arbitrary external services (e.g., api.example.com, pushover endpoints). Those actions are consistent with a workflow integrator, but the instructions also assume access to local keychain and to environment variables without declaring them. The webhook and webhook-server.sh example will write incoming payloads into the workspace and spawn background runs — this can cause external data to be stored and executed locally and should be audited for any workflows you add.
- Install Mechanism
- okThis is instruction-only with no install spec or remote downloads, so there is no additional install-time code being written or executed by the skill bundle itself.
- Credentials
- concernThe skill does not declare any required environment variables but references runtime secrets in two forms: environment variables (e.g., PUSHOVER_TOKEN, PUSHOVER_USER) and OS keychain secrets accessed via `security find-generic-password`. Relying on the system keychain without declaring that requirement (nor including the `security` binary in required bins) is an incoherence. Requesting access to system-stored secrets is proportionate for an integration skill only if documented; here that documentation is inconsistent.
- Persistence & Privilege
- okalways:false (normal). The skill is instruction-only and does not request permanent platform privileges or to modify other skills or system-wide agent settings. It instructs workflows to create files under the workspace (workflows/...), which is expected for this kind of tool.