Skillv1.0.0

ClawScan security

具身智能前沿追踪系统 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 7, 2026, 1:54 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (tracking papers/projects/videos) matches its instructions, but it requests runtime shell/file tools (exec_shell, read_file, grep_file) that are broader than necessary and could be abused; no install or creds are required, but the tool permissions are a notable risk.
Guidance: This skill is coherent with its stated goal of finding papers, GitHub repos, and demo videos and producing a daily markdown report. The main risk is the runtime tool set declared in the SKILL.md: exec_shell and read_file let the agent run arbitrary shell commands and read local files, which is more privilege than a pure web-scraper strictly needs. Before installing, consider: (1) require the skill to run in a sandboxed environment where exec_shell and file-read are limited or disabled; (2) ask the author to justify and narrow the allowed-tools (e.g., allow network fetch but not arbitrary file reads); (3) monitor what commands the agent runs and review logs; (4) do not provide any secrets (GitHub tokens, AWS keys) unless absolutely necessary and reviewed. If you cannot restrict shell/file access, treat this skill as higher-risk and prefer running it manually or in an isolated VM/container.

Review Dimensions

Purpose & Capability: noteThe name/description (embodied AI tracker + video collection) align with the SKILL.md instructions (site: searches, GitHub and video searches, structured report). The skill does not request unrelated environment variables or external services. However, the SKILL.md declares allowed-tools (Bash: grep_file, glob_file, exec_shell, read_file) that grant local shell and file access; while exec_shell can be used to run curl/wget for scraping (plausible), read_file/grep_file are not clearly necessary for the stated web-scraping and reporting purpose and therefore appear broader than required.
Instruction Scope: okInstructions stay on-topic: they specify search queries, selection/filtering criteria, ranking tiers, and a markdown reporting template. They do not instruct the agent to collect unrelated system data or to transmit data to unexpected endpoints. The only scope concern is that the allowed-tools permit reading local files and arbitrary shell commands, but the SKILL.md content itself does not direct the agent to read user files or secrets.
Install Mechanism: okNo install spec and no code files — instruction-only. This minimizes supply-chain risk because nothing is downloaded or written to disk by an installer.
Credentials: okThe skill requests no environment variables, credentials, or config paths, which is proportionate for a public web-scraping/tracking tool. (Note: GitHub/API rate limits are not addressed — the skill appears to rely on public web pages/search without asking for API keys.)
Persistence & Privilege: concernalways:false and no install means the skill does not demand persistent inclusion, which is good. However, allowed-tools (exec_shell, read_file) enable arbitrary shell execution and local file reads while the agent is invoked (and autonomous invocation is allowed by default). That combination increases risk if the agent is permitted to run unreviewed commands or operate without strict sandboxing.