Skillv1.1.0

ClawScan security

Symbiont · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 22, 2026, 5:13 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, runtime instructions, and requested artifacts are coherent with a governance/scan tool: it only needs jq and an optional symbi binary (installable via a Homebrew tap), implements local scanning and deny-list enforcement, and does not request unrelated credentials or hidden endpoints.
Guidance: This package appears to be internally consistent with its governance purpose, but before installing: (1) verify the Homebrew tap/formula (thirdkeyai/tap) and review its source (brew formula may pull code), (2) inspect the scripts yourself — they are simple shell scanners and a policy guard that write local audit logs (.symbiont/audit/tool-usage.jsonl) and do not exfiltrate data, (3) ensure jq is present as declared, and (4) if you plan to use it in production or on sensitive hosts, run the scanner (clawhavoc-scan.sh) and review the symbi binary source or use a vetted release (e.g., GitHub releases or a container) before giving it any elevated privileges.

Review Dimensions

Purpose & Capability: okName/description (zero‑trust governance, Cedar, SchemaPin, ClawHavoc) match the included artifacts: SKILL.md describes governance workflows and the repo includes a scanner (clawhavoc-scan.sh), a policy guard (policy-guard.sh), references to SchemaPin and Cedar, and a Homebrew install of the symbi runtime. Nothing in the manifest asks for unrelated credentials, binaries, or config paths.
Instruction Scope: okSKILL.md instructions focus on scaffolding governance files, writing/validating Cedar policies, verifying MCP tools via symbi if available, scanning skills locally, and querying local audit logs. The included scripts operate on local files and produce local JSONL audit entries; they do not contact external endpoints or instruct the agent to read unrelated system secrets.
Install Mechanism: noteInstall uses a Homebrew formula (symbi) from a third‑party tap (thirdkeyai/tap). This is proportionate to the skill's stated need for the symbi runtime, but third‑party Homebrew taps are a moderate trust surface — users should validate the tap/formula source before installing on sensitive systems.
Credentials: okThe skill requires only jq (declared) and no environment variables or credentials. Scripts intentionally check for and avoid accessing deny-listed paths (.env, .ssh, .aws, etc.) and log to a local .symbiont/audit directory. There are no unexplained SECRET/TOKEN/PASSWORD requirements.
Persistence & Privilege: okThe skill does not request always:true, does not change other skills' configs, and only writes its own .symbiont/ scaffold and audit logs in the working directory. Autonomous invocation is allowed (platform default) but is not combined with broad, unexplained privileges here.