Skillv1.0.0

ClawScan security

Context Resume · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 10:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's goal (reconstructing developer context) matches its instructions, but the SKILL.md asks the agent to collect wide-ranging artifacts (workspace files, shell history, editor state, test results, remote CI/dependency checks) in a very open-ended way without limits or safeguards — this broad scope could expose sensitive data and is not fully justified or constrained.
Guidance: This skill's purpose is reasonable, but the runtime instructions are very broad and could cause the agent to read sensitive local artifacts (shell history, editor state, test outputs) and probe external services (CI, remote git) without constraints. Before installing or enabling it: - Confirm what files/paths the skill will read (workspace root only? will it access ~/, ~/.bash_history, IDE settings?). Ask the author for a precise whitelist and explicit exclusions for secrets (e.g., ~/.aws, ~/.git-credentials, .env files). - Ensure the agent runs with least privilege: restrict filesystem scope to the project directory and disable access to home directory/history unless explicitly needed. - Prevent outbound network egress or require explicit approval for remote checks (CI, remote branches, dependency registries). Ask whether summaries are stored locally or transmitted externally. - Test the skill on a non-sensitive repository first to verify behavior and outputs. - If you cannot confirm the above, treat the skill as high-risk and avoid enabling autonomous invocation. If you want, I can produce a short list of precise questions to send to the skill author or a sandbox test plan to exercise the skill safely.

Review Dimensions

Purpose & Capability: noteThe declared purpose (rebuild a developer's mental state from repo and local artifacts) aligns with the actions described in SKILL.md (git state, modified files, tests, TODOs, terminal state). However, doing this legitimately requires broad local access (repo, editor/IDE state, shell history, test outputs). The skill declares no required binaries or credentials (fine for an instruction-only skill) but does not explicitly state which files/paths it will read or what external checks it will perform.
Instruction Scope: concernSKILL.md instructs collecting many potentially sensitive artifacts: terminal/command history, cursor/bookmark positions (IDE/editor state), last test run results, modification times, stashes, and checking external changes (new commits on main, CI status, dependency updates). These are described at a high level with no explicit whitelist/blacklist, no guidance about excluding secrets, and no explanation of whether or how collected data is stored or transmitted. The instructions are therefore broad and grant the agent considerable discretion to read sensitive files.
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files — lowest install risk (nothing is downloaded or written at install time).
Credentials: noteThe skill requests no environment variables, credentials, or config paths, which is appropriate on paper. However, the artifacts it asks to collect (shell history, editor state, test output) commonly contain secrets (API keys in commands, tokens in local files). The absence of declared credentials does not eliminate risk because sensitive data may still be read from the user's file system.
Persistence & Privilege: notealways:false (not force-included) and no install persistence are good. The default ability for the agent to invoke the skill autonomously (disable-model-invocation:false) is normal for skills, but combined with the skill's broad, under-constrained instructions it increases potential impact (wider blast radius) if the agent is given file/network access without restrictions.