Skillv1.0.0

ClawScan security

Seismograph · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 9:08 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims deep, repository-wide and downstream-system analysis but provides no concrete runtime instructions, required binaries, or permission/credential requests — this mismatch makes its behavior unclear and potentially risky.
Guidance: Before installing or using this skill, ask the publisher to clarify exactly how it accesses code and downstream systems. Specifically: (1) what files, repo paths, or services does it need to read/write? (2) which binaries or tools must be available (git, language parsers, static analyzers, test runners)? (3) will it ever request or require credentials to external services, and if so, which ones and why? (4) provide concrete runtime steps or a reproducible example run on a small sample repo. Until you get those details, avoid granting repository or service credentials and prefer testing the skill in a disposable sandbox. The current SKILL.md is high-level and ambiguous — that ambiguity increases the risk of unintended data access or exfiltration if the agent is given broad read/network permissions.

Review Dimensions

Purpose & Capability: concernThe skill's purpose is to map propagation across a codebase and downstream systems, which normally requires access to repository files, static-analysis tools, test runners, or service credentials. However, the skill declares no required binaries, environment variables, config paths, or install steps. That absence is disproportionate to the claimed capability and suggests either missing requirements or that the agent will be given broad latitude to 'gather context' at runtime (which is not explicitly described).
Instruction Scope: concernThe SKILL.md describes multi-phase analyses (line-level epicenter mapping, static dependency traversal, dataflow tracing, event/subscriber discovery, downstream monitoring and contract checks) but does not include concrete runtime commands, file paths, or a restricted list of actions. The instructions are high-level and open-ended — they imply reading repository files, running tests, parsing configs, and contacting downstream systems, but do not state how the agent should do these things or what it may access. Open-ended instructions give the agent broad discretion, which is a scope-creep risk.
Install Mechanism: okNo install spec and no code files are present, which is low risk from an installation-execution perspective. That said, for the described functionality it is surprising there is truly 'zero-dependency' — realistic implementations normally require tools (git, language parsers, static analyzers). The lack of install steps reduces disk/exec risk but increases uncertainty about how the analysis actually happens.
Credentials: concernThe skill declares no required environment variables, credentials, or config paths even though the described analysis would reasonably need access to the repository, CI/test runners, and possibly service credentials for downstream systems. This mismatch could indicate omitted requirements or that the skill expects the agent to request or be granted ad hoc access at runtime — a potential vector for accidental credential exposure or over-broad access.
Persistence & Privilege: okThe skill does not request 'always' presence and defaults to user-invocable/autonomous invocation as normal. It does not claim to modify other skills or system configuration. No elevated persistent privileges are requested in the provided metadata.