Back to skill
Skillv1.0.0
ClawScan security
claw-turbo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 9, 2026, 4:12 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description matches a regex-routing proxy, but the bundle omits any runnable code, mis-declares a 'primaryEnv', and its instructions allow executing arbitrary system commands from user-captures with no safety guidance — these inconsistencies and injection/privilege risks merit caution.
- Guidance
- This skill claims to run shell commands directly when a regex matches — that’s powerful but dangerous if misconfigured. Before installing or enabling it: 1) Inspect the GitHub repo source (not just SKILL.md) before running pip install; 2) Do not deploy on production hosts until you confirm route templates are safe — avoid systemctl/journalctl/bash calls unless necessary; 3) Sanitize and strongly constrain routes.yaml patterns and command templates (prefer fully controlled commands, not raw insertion of user captures); 4) Run the proxy in a sandboxed environment or container with least privilege and restrict network access (keep baseUrl bound to localhost and firewall it); 5) Fix the metadata oddity (primaryEnv:'python') or ask the author what credential that refers to; 6) Consider alternative approaches (explicit, validated command wrappers or a small service that exposes a safe RPC) if you need automated routing. If you cannot review the external code or enforce strong sandboxing, treat this skill as risky and avoid installing it on critical systems.
- Findings
[no_code_files_present] unexpected: The skill's README/CLI references executables and a pip-installable package, but the provided bundle includes only documentation and examples. The static scanner had nothing to analyze because there is no code — this mismatch is unexpected for a CLI tool. [pre_scan_injection_signals_none] expected: No pre-scan injection signals were detected. That does not reduce the runtime risk from executing system commands described in SKILL.md.
Review Dimensions
- Purpose & Capability
- noteThe declared purpose (zero-latency regex routing that executes skill scripts) is coherent with requested binaries (python3, bash). However the packaged files contain only docs and examples (no implementation or CLI), while SKILL.md instructs installing a GitHub project and running a 'claw-turbo' CLI. The metadata's primaryEnv is set to 'python' (not an environment variable name) which is incoherent with how primary credentials are normally declared.
- Instruction Scope
- concernSKILL.md instructs the agent to execute system-level commands templated from regex captures (e.g., 'systemctl restart {{service}}', 'journalctl -u {{service}}', 'bash /opt/scripts/deploy.sh {{service}} staging'). There is no guidance about sanitizing capture groups, quoting, or running in a restricted environment. That design is coherent with 'devops' use but introduces a high risk of command injection or accidental execution of privileged operations if routes.yaml contains unsafe templates or an attacker can influence inputs.
- Install Mechanism
- noteThere is no registry install spec; the SKILL.md tells users to git clone and pip install from the GitHub repo (a normal, traceable pattern). Because the distributed bundle here contains only docs/examples, the skill as presented relies on fetching code at install time from the external GitHub URL — that external code would need review before pip install. No opaque download URLs or archive extraction are present in the metadata.
- Credentials
- concernThe skill requests no secrets or environment variables (good), and only requires python3 and bash. However the metadata's primary credential field is set to 'python', which is nonsensical and may indicate sloppy metadata. The lack of required env vars is proportionate to the stated purpose, but the ability to run arbitrary system commands via templates creates an implicit need for careful privilege control that the instructions do not address.
- Persistence & Privilege
- okalways:false and default autonomous invocation are used (normal). The skill does not request permanent system-wide privileges in metadata, and does not attempt to modify other skills' config. The main persistence/privilege concern is operational: once installed and wired as Ollama's baseUrl, it will intercept user messages and can run commands on the host — a powerful capability that should be limited by policy and environment, but this is consistent with its declared purpose.