Skillv0.4.0

ClawScan security

Skill-Eval · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 11:13 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's written architecture and runtime instructions assume cross-provider model calls, scripts, and file I/O that are not present in the package and it does not declare the credentials or I/O permissions those operations would normally require.
Guidance: This skill contains a detailed engine design but includes no code, no install, and no declared credentials—yet its instructions assume running scripts, writing files, and calling multiple external LLM providers. Before installing or enabling it: 1) Ask the publisher for the missing artifacts (scripts, eval configs) and for a clear list of required API keys and network endpoints. 2) Confirm where it will write outputs and whether it will read other skills or registries; restrict its filesystem scope in a sandbox if possible. 3) Require explicit declarations of any model provider credentials (OPENAI_API_KEY, ANTHROPIC_API_KEY, etc.) and limit which credentials it may use. 4) If you must run it, do so in an isolated environment with restricted network and filesystem access and audit its operations and generated files. The source is unknown—treat it as untrusted until those gaps are resolved.

Review Dimensions

Purpose & Capability: concernThe stated purpose (autonomous, multi-model skill-evaluation engine) is plausible, but the SKILL.md describes running scripts, producing files (skill-cards, leaderboard HTML), and calling multiple external model providers. The skill package contains only SKILL.md and no scripts, no eval config files, and declares no required credentials—this is inconsistent with a tool that must orchestrate external model APIs and filesystem outputs.
Instruction Scope: concernThe instructions reference reading/writing structured directories (evals/, workspaces/, knowledge/, skill-cards/, leaderboard/), running generator scripts (generate_skill_card.py, generate_leaderboard.py), and contacting multiple model providers for execution/judging/improvement. Those operations imply filesystem and network/API access, and potentially reading many other skills' manifests; none of these scopes are declared or constrained in the package. Because the skill is instruction-only, the agent would be given broad discretion to create files, call external models, or fetch registries to satisfy the instructions.
Install Mechanism: okThere is no install spec and no code files — the skill is instruction-only. This minimizes direct install-time risks (no downloaded executables). However, runtime instructions still imply actions (network calls, file writes) which are outside the install scope.
Credentials: concernThe SKILL.md explicitly expects interaction with multiple external model providers (Anthropic, OpenAI, Google) but the skill declares no required environment variables or primary credential. A real deployment would normally require API keys or tokens for those services. The absence of declared credentials is an incoherence: either the skill expects preexisting global access (not documented) or it omits required sensitive permissions. Both cases should be clarified before use.
Persistence & Privilege: okThe skill does not request always:true, does not include install-time modifications, and is user-invocable only. The SKILL.md describes writing outputs into its own workspace directories, which is a normal level of presence for an evaluation tool and does not, from the provided material, claim system-wide privilege changes.