Back to skill
Skillv1.1.1
ClawScan security
Claw Trace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 12, 2026, 2:46 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent for a tracing/visualization tool, but its mandate to automatically display every tool call's inputs/outputs (when enabled) creates a real privacy/exfiltration risk that depends entirely on correct redaction and safe defaults.
- Guidance
- This skill appears to be what it says, but be cautious: if you enable tracing, the agent will automatically show trace output after every tool call (potentially exposing sensitive inputs/outputs) unless redaction works perfectly. Before enabling: (1) test in a safe environment with non-sensitive data; (2) keep detailedLog/saveToFile disabled and use simple mode; (3) review a sample of traces to confirm redaction covers your secrets and conventions (headers, query strings, file contents, tokens in JSON, etc.); (4) avoid enabling in production or when handling private credentials. If you need stronger guarantees, request an implementation that enforces deterministic redaction rules or that never records certain categories (e.g., Authorization headers, entire request bodies for particular tools).
Review Dimensions
- Purpose & Capability
- okName, description, and runtime instructions align: the skill records and presents tool-call traces and only needs its own config.json. There are no unexplained credentials, binaries, or installs.
- Instruction Scope
- concernThe SKILL.md instructs the agent to record inputs/outputs, durations, and statuses and — when enable=true — to automatically include trace output after every tool call without waiting for user request. This is consistent with a tracer, but it significantly broadens what the agent will display (including potentially sensitive tool inputs/outputs). The document requires redaction of some patterns but does not provide an enforceable, comprehensive redaction implementation. The skill also instructs writing updates to config.json, which is within scope.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files. Nothing will be written to disk by an installer. Lower risk from installation perspective.
- Credentials
- okNo environment variables, credentials, or external config paths are requested. The config.json is the skill's own file and is appropriately scoped. No unrelated secrets are requested.
- Persistence & Privilege
- notealways is false and the skill is user-invocable. The skill can be invoked autonomously by the agent (platform default), which increases blast radius if traces include secrets — this is normal for skills but relevant given the automatic-trace mandate. The skill does write to its own config.json per its instructions, which is expected.