Skillv1.0.0

ClawScan security

Peripheral Vision · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 9:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's high-level goal (watching related code, deps, and infra) is plausible, but its runtime instructions imply access to repository history, CI, environment, schemas, and upstream services while requesting no credentials or explicit access controls — the scope is vague and disproportionate to what the manifest declares.
Guidance: This skill describes broad, continuous monitoring of repo, schemas, CI/CD, environment, and upstream services but declares no credentials or concrete scope. Before installing, ask the publisher (or require in the manifest) for: 1) an explicit list of files/paths/APIs the skill will read; 2) any environment variables or external tokens it needs; 3) how it determines 'files currently open' (editor integration or heuristic); 4) whether it will contact external endpoints and which ones; and 5) whether you can restrict it to read-only access and limit scan frequency. If you can't get clear answers, avoid giving this skill tokens or broad agent permissions and consider running it manually in a limited test workspace first.

Review Dimensions

Purpose & Capability: noteThe description (monitoring upstream/downstream code, schemas, env, CI) aligns with an agent that can read the repo and git history. However, the skill's stated capabilities also imply access to external services, CI systems, databases, and environment/configuration; none of those accesses are declared (no required env vars, no config paths). That mismatch is important: either the skill assumes broad implicit access from the agent/platform, or it omits needed credentials and scope descriptions.
Instruction Scope: concernThe SKILL.md directs the agent to identify 'files currently open/modified', trace direct and transitive dependencies, scan Git commits by others, detect schema migrations, inspect CI/CD and Docker configs, and detect changes in environment variables and upstream services. These instructions are open-ended (e.g., 'blind spots', 'continuously scans') and would require reading arbitrary repo files, CI systems, and possibly environment/runtime state. The instructions do not enumerate exactly which files/paths to read, which APIs to call, or what credentials (if any) to use, granting the agent broad discretion to access data outside a narrowly scoped need.
Install Mechanism: okInstruction-only skill with no install steps and no code files. That minimizes disk-level risk — nothing is downloaded or written by an installer. All runtime behavior would be the agent following the prose in SKILL.md.
Credentials: concernThe skill references inspecting environment variables, CI/CD, deployment/infrastructure, and upstream services, but the registry metadata declares no required environment variables, secrets, or config paths. Monitoring upstream services or CI typically needs tokens or access credentials; the absence of declared credentials is a disproportionate gap. This either means the skill expects the agent to have ambient access (not disclosed) or it will attempt to read unspecified environment variables and configs without the user being warned.
Persistence & Privilege: notealways is false (normal) and model-invocation is enabled (default). The skill's prose talks about 'continuous' and 'situational awareness', but there is no install or background daemon described. Autonomous invocation could allow the agent to run this skill repeatedly; that's expected platform behavior but increases impact if the skill is granted broad workspace/credential access. There is no indication the skill modifies other skills or agent-wide configs.